Use Case: Ransomware

December 5, 2023 · View on GitHub

Use Case: Ransomware

Vendor: APC

ProductMITRE ATT&CK® TTPContent
APCT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: AVI Networks

ProductMITRE ATT&CK® TTPContent
AVI Networks Software Load BalancerT1078 - Valid Accounts
  • 1 Rules

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1078 - Valid Accounts
  • 1 Rules
Airlock Security Access HubT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Akamai

ProductMITRE ATT&CK® TTPContent
Cloud AkamaiT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: AlgoSec

ProductMITRE ATT&CK® TTPContent
AlgoSec Firewall AnalyzerT1078 - Valid Accounts
  • 1 Rules

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS CloudTrailT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
AWS CloudWatchT1078 - Valid Accounts
  • 1 Rules
AWS GuardDutyT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
AWS WAFT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Amazon EKST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Amazon RDST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
ApacheT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Apache GuacamoleT1078 - Valid Accounts
  • 1 Rules
Apache SubversionT1078 - Valid Accounts
  • 2 Rules
Apache TomcatT1078 - Valid Accounts
  • 1 Rules

Vendor: AssetView

ProductMITRE ATT&CK® TTPContent
AssetViewT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
Atlassian BitBucketT1078 - Valid Accounts
  • 2 Rules

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1078 - Valid Accounts
  • 2 Rules

Vendor: Avaya

ProductMITRE ATT&CK® TTPContent
Avaya Ethernet Routing SwitchT1078 - Valid Accounts
  • 1 Rules

Vendor: Axway

ProductMITRE ATT&CK® TTPContent
Axway GatewayT1078 - Valid Accounts
  • 1 Rules

Vendor: Banyan Security

ProductMITRE ATT&CK® TTPContent
Banyan SecurityT1078 - Valid Accounts
  • 1 Rules

Vendor: Barracuda

ProductMITRE ATT&CK® TTPContent
Barracuda Cloudgen FirewallT1078 - Valid Accounts
  • 2 Rules
Barracuda Email Security GatewayT1078 - Valid Accounts
  • 1 Rules
Barracuda WAFT1078 - Valid Accounts
  • 1 Rules

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
BeyondTrustT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
BeyondTrust Privileged IdentityT1078 - Valid Accounts
  • 2 Rules
BeyondTrust Secure Remote AccessT1078 - Valid Accounts
  • 1 Rules

Vendor: Bitdefender

ProductMITRE ATT&CK® TTPContent
GravityZoneT1078 - Valid Accounts
  • 2 Rules

Vendor: Bitglass

ProductMITRE ATT&CK® TTPContent
Bitglass CASBT1078 - Valid Accounts
  • 1 Rules

Vendor: Box

ProductMITRE ATT&CK® TTPContent
Box Cloud Content ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: Broadcom

ProductMITRE ATT&CK® TTPContent
z/OST1078 - Valid Accounts
  • 1 Rules

Vendor: CA Technologies

ProductMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server ControlT1078 - Valid Accounts
  • 2 Rules

Vendor: CDS

ProductMITRE ATT&CK® TTPContent
CDST1078 - Valid Accounts
  • 1 Rules

Vendor: CHCOM

ProductMITRE ATT&CK® TTPContent
CHCOMT1078 - Valid Accounts
  • 1 Rules

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point Anti-MalwareT1078 - Valid Accounts
  • 1 Rules
Check Point Identity AwarenessT1078 - Valid Accounts
  • 1 Rules
Check Point NGFWT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Check Point Security GatewayT1078 - Valid Accounts
  • 1 Rules
Check Point Threat EmulationT1078 - Valid Accounts
  • 1 Rules

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
AnyConnectT1078 - Valid Accounts
  • 1 Rules
CiscoT1078 - Valid Accounts
  • 2 Rules
Cisco ACIT1078 - Valid Accounts
  • 1 Rules
Cisco ACST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Cisco Adaptive Security ApplianceT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Cisco Cloud Web SecurityT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco FirepowerT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Cisco IOST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Cisco ISET1078 - Valid Accounts
  • 2 Rules
Cisco Meraki MX applianceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Cisco PIXT1078 - Valid Accounts
  • 1 Rules
Cisco Secure EndpointT1078 - Valid Accounts
  • 2 Rules
Cisco Secure Web ApplianceT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco SourceFireT1078 - Valid Accounts
  • 1 Rules
Cisco UmbrellaT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco Unified Communications ManagerT1078 - Valid Accounts
  • 2 Rules
Duo AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
IronPort EmailT1078 - Valid Accounts
  • 1 Rules

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Citrix ShareFileT1078 - Valid Accounts
  • 2 Rules
Citrix Virtual AppsT1078 - Valid Accounts
  • 2 Rules
Citrix Web App FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Claroty

ProductMITRE ATT&CK® TTPContent
CTDT1078 - Valid Accounts
  • 1 Rules

Vendor: Clearsense

ProductMITRE ATT&CK® TTPContent
ClearsenseT1078 - Valid Accounts
  • 1 Rules

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1078 - Valid Accounts
  • 1 Rules

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare InsightsT1078 - Valid Accounts
  • 1 Rules
Cloudflare WAFT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Code42

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Endpoint Privilege ManagerT1078 - Valid Accounts
  • 1 Rules
CyberArk Privilege Access ManagerT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules

Vendor: Cylance

ProductMITRE ATT&CK® TTPContent
Cylance OPTICST1078 - Valid Accounts
  • 1 Rules
Cylance PROTECTT1078 - Valid Accounts
  • 2 Rules

Vendor: DXC

ProductMITRE ATT&CK® TTPContent
DXC TechnologyT1078 - Valid Accounts
  • 1 Rules

Vendor: Darktrace

ProductMITRE ATT&CK® TTPContent
DarktraceT1078 - Valid Accounts
  • 2 Rules

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Authentication ServiceT1078 - Valid Accounts
  • 1 Rules
Centrify Infrastructure ServicesT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Centrify Zero Trust Privilege ServicesT1078 - Valid Accounts
  • 2 Rules

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
EMC IsilonT1078 - Valid Accounts
  • 1 Rules
SonicwallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1078 - Valid Accounts
  • 2 Rules

Vendor: ESector

ProductMITRE ATT&CK® TTPContent
ESector DEFESA LoggerT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Entrust

ProductMITRE ATT&CK® TTPContent
Entrust Identity EnterpriseT1078 - Valid Accounts
  • 1 Rules

Vendor: Envoy

ProductMITRE ATT&CK® TTPContent
EnvoyT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1078 - Valid Accounts
  • 2 Rules

Vendor: Exabeam

ProductMITRE ATT&CK® TTPContent
Advanced AnalyticsT1078 - Valid Accounts
  • 1 Rules
Audit LogT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
SearchT1078 - Valid Accounts
  • 1 Rules

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
ExtremeCloud IQT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Zebra WLAN ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: F-Secure

ProductMITRE ATT&CK® TTPContent
F-Secure Policy ManagerT1078 - Valid Accounts
  • 1 Rules

Vendor: F5

ProductMITRE ATT&CK® TTPContent
BIG-IP F5 LBRT1078 - Valid Accounts
  • 1 Rules
F5 Access Policy ManagerT1078 - Valid Accounts
  • 2 Rules
F5 Advanced Firewall ManagerT1078 - Valid Accounts
  • 1 Rules
F5 Advanced Web Application FirewallT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
F5 Application Security ManagerT1078 - Valid Accounts
  • 1 Rules
F5 BIG-IPT1078 - Valid Accounts
  • 2 Rules
F5 BIG-IP DNST1078 - Valid Accounts
  • 2 Rules
F5 SilverlineT1078 - Valid Accounts
  • 1 Rules

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Fast Enterprises

ProductMITRE ATT&CK® TTPContent
Fast Enterprises GenTaxT1078 - Valid Accounts
  • 1 Rules

Vendor: FileAuditor

ProductMITRE ATT&CK® TTPContent
FileAuditorT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Forcepoint

ProductMITRE ATT&CK® TTPContent
Forcepoint CASBT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Forcepoint Next-Gen FirewallT1078 - Valid Accounts
  • 1 Rules
Websense Security GatewayT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Forescout

ProductMITRE ATT&CK® TTPContent
EyeInspectT1078 - Valid Accounts
  • 1 Rules
Forescout CounterACTT1078 - Valid Accounts
  • 1 Rules

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
FortiGateT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Fortinet UTMT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Fortiweb Web Application FirewallT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: GTB

ProductMITRE ATT&CK® TTPContent
GTB Technologies DLPT1078 - Valid Accounts
  • 1 Rules

Vendor: Gigamon

ProductMITRE ATT&CK® TTPContent
GigaVUE-HC2T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1078 - Valid Accounts
  • 2 Rules

Vendor: GoAnywhere

ProductMITRE ATT&CK® TTPContent
GoAnywhere MFTT1078 - Valid Accounts
  • 1 Rules

Vendor: Google

ProductMITRE ATT&CK® TTPContent
Google Cloud PlatformT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Google WorkspaceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba ClearPass Policy ManagerT1078 - Valid Accounts
  • 2 Rules
Aruba Mobility MasterT1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controllerT1078 - Valid Accounts
  • 1 Rules
HP Virtual Connect Enterprise ManagerT1078 - Valid Accounts
  • 1 Rules
HP iLOT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
HPE 3PAR StoreServT1078 - Valid Accounts
  • 1 Rules
HPE ComwareT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: HashiCorp

ProductMITRE ATT&CK® TTPContent
HashiCorp VaultT1078 - Valid Accounts
  • 2 Rules

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Unified Security GatewayT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
DB2T1078 - Valid Accounts
  • 1 Rules
HCL NotesT1078 - Valid Accounts
  • 1 Rules
IBM DatapowerT1078 - Valid Accounts
  • 1 Rules
IBM MainframeT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
IBM Resource Access Control FacilityT1078 - Valid Accounts
  • 2 Rules
Sterling B2B IntegratorT1078 - Valid Accounts
  • 1 Rules

Vendor: Imperva

ProductMITRE ATT&CK® TTPContent
Imperva IncapsulaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Imperva SecureSphereT1078 - Valid Accounts
  • 2 Rules

Vendor: Imprivata

ProductMITRE ATT&CK® TTPContent
ImprivataT1078 - Valid Accounts
  • 2 Rules

Vendor: InfoWatch

ProductMITRE ATT&CK® TTPContent
InfoWatch DLPT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Infoblox NIOST1078 - Valid Accounts
  • 1 Rules

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Jumpcloud

ProductMITRE ATT&CK® TTPContent
JumpcloudT1078 - Valid Accounts
  • 2 Rules

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Juniper SRX SeriesT1078 - Valid Accounts
  • 2 Rules
Junos OST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Kasada

ProductMITRE ATT&CK® TTPContent
KasadaT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterT1078 - Valid Accounts
  • 2 Rules

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1078 - Valid Accounts
  • 2 Rules

Vendor: Lenel

ProductMITRE ATT&CK® TTPContent
OnGuardT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: LiquidFiles

ProductMITRE ATT&CK® TTPContent
LiquidFilesT1078 - Valid Accounts
  • 2 Rules

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1078 - Valid Accounts
  • 2 Rules

Vendor: Magento

ProductMITRE ATT&CK® TTPContent
Magento WAFT1078 - Valid Accounts
  • 1 Rules

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADAuditPlusT1078 - Valid Accounts
  • 2 Rules
ADSSPT1078 - Valid Accounts
  • 2 Rules
PAM360T1078 - Valid Accounts
  • 1 Rules

Vendor: MariaDB

ProductMITRE ATT&CK® TTPContent
MariaDBT1078 - Valid Accounts
  • 1 Rules

Vendor: MasterSAM

ProductMITRE ATT&CK® TTPContent
MasterSAM PAMT1078 - Valid Accounts
  • 1 Rules

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
McAfee Endpoint SecurityT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
McAfee Network Security PlatformT1078 - Valid Accounts
  • 2 Rules
McAfee Web GatewayT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
McAfee ePolicy OrchestratorT1078 - Valid Accounts
  • 1 Rules
Skyhigh Networks CASBT1078 - Valid Accounts
  • 2 Rules

Vendor: MicroFocus ArcSight

ProductMITRE ATT&CK® TTPContent
MicroFocus ArcSightT1078 - Valid Accounts
  • 1 Rules

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Active Directory Federation ServicesT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
AzureT1078 - Valid Accounts
  • 2 Rules
Azure AD Activity LogsT1078 - Valid Accounts
  • 2 Rules
Azure AD Sign-In LogsT1078 - Valid Accounts
  • 2 Rules
Azure ATPT1078 - Valid Accounts
  • 1 Rules
Azure MFAT1078 - Valid Accounts
  • 2 Rules
Azure MonitorT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Azure Monitor - VM InsightsT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Event Viewer - ADFST1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Event Viewer - ApplicationT1078 - Valid Accounts
  • 2 Rules
Event Viewer - ApplockerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - AzureADPasswordProtection-DCAgentT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Event Viewer - CertificateServicesClientT1078 - Valid Accounts
  • 1 Rules
Event Viewer - DFS-ReplicationT1078 - Valid Accounts
  • 1 Rules
Event Viewer - DHCP-ServerT1078 - Valid Accounts
  • 2 Rules
Event Viewer - DNSServerT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Event Viewer - Directory-ServiceT1078 - Valid Accounts
  • 1 Rules
Event Viewer - Kernel-IOT1078 - Valid Accounts
  • 1 Rules
Event Viewer - KnownFoldersT1078 - Valid Accounts
  • 1 Rules
Event Viewer - Licensing-PlatformT1078 - Valid Accounts
  • 1 Rules
Event Viewer - LiveIdT1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLMT1078 - Valid Accounts
  • 1 Rules
Event Viewer - PowerShellT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Event Viewer - SecurityT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Event Viewer - SystemT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Event Viewer - TaskSchedulerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-GatewayT1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-LocalSessionManagerT1078 - Valid Accounts
  • 1 Rules
M365 Audit LogsT1078 - Valid Accounts
  • 2 Rules
MSSQLT1078 - Valid Accounts
  • 2 Rules
Microsoft 365T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Microsoft Advanced Threat AnalyticsT1078 - Valid Accounts
  • 1 Rules
Microsoft CAST1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Microsoft DHCP LogT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Microsoft Defender for EndpointT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Microsoft ExchangeT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Microsoft IIST1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Microsoft IntuneT1078 - Valid Accounts
  • 1 Rules
Microsoft RRAST1078 - Valid Accounts
  • 1 Rules
Microsoft WMI LogT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
SysmonT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
WindowsT1078 - Valid Accounts
  • 1 Rules
Windows Defender Application ControlT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Mimecast Secure Email GatewayT1078 - Valid Accounts
  • 2 Rules
Mimecast Targeted Threat Protection - URLT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: MuleSoft

ProductMITRE ATT&CK® TTPContent
MuleSoft Anypoint PlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: NNT

ProductMITRE ATT&CK® TTPContent
NNT ChangeTrackerT1078 - Valid Accounts
  • 1 Rules

Vendor: Nagios

ProductMITRE ATT&CK® TTPContent
NagiosT1078 - Valid Accounts
  • 1 Rules

Vendor: Nasuni

ProductMITRE ATT&CK® TTPContent
NasuniT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: NetApp

ProductMITRE ATT&CK® TTPContent
NetAppT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: NetIQ

ProductMITRE ATT&CK® TTPContent
Micro Focus NetIQ Identity ManagerT1078 - Valid Accounts
  • 2 Rules

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope Security CloudT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1078 - Valid Accounts
  • 2 Rules

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Nutanix

ProductMITRE ATT&CK® TTPContent
Nutanix Unified StorageT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: OSSEC

ProductMITRE ATT&CK® TTPContent
OSSECT1078 - Valid Accounts
  • 1 Rules

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1078 - Valid Accounts
  • 2 Rules

Vendor: OneSpan

ProductMITRE ATT&CK® TTPContent
Digipass for AppsT1078 - Valid Accounts
  • 1 Rules

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1078 - Valid Accounts
  • 1 Rules

Vendor: OpenDJ

ProductMITRE ATT&CK® TTPContent
OpenDJT1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle Access ManagementT1078 - Valid Accounts
  • 2 Rules
Oracle DatabaseT1078 - Valid Accounts
  • 1 Rules
Oracle Public CloudT1078 - Valid Accounts
  • 2 Rules

Vendor: Osquery

ProductMITRE ATT&CK® TTPContent
OsqueryT1078 - Valid Accounts
  • 1 Rules

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
Cortex XSOART1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
GlobalProtectT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Palo Alto NGFWT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules
Prisma CloudT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Traps Endpoint Security ManagerT1078 - Valid Accounts
  • 1 Rules

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
Ping IdentityT1078 - Valid Accounts
  • 2 Rules
PingOneT1078 - Valid Accounts
  • 2 Rules

Vendor: Progress

ProductMITRE ATT&CK® TTPContent
Progress DatabaseT1078 - Valid Accounts
  • 1 Rules

Vendor: Proofpoint

ProductMITRE ATT&CK® TTPContent
ObserveITT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Proofpoint Email ProtectionT1078 - Valid Accounts
  • 1 Rules
Proofpoint Enterprise ProtectionT1078 - Valid Accounts
  • 1 Rules

Vendor: Quest Software

ProductMITRE ATT&CK® TTPContent
Quest Change Auditor for Active DirectoryT1078 - Valid Accounts
  • 2 Rules

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
RSA Adaptive AuthenticationT1078 - Valid Accounts
  • 1 Rules
RSA Authentication ManagerT1078 - Valid Accounts
  • 2 Rules

Vendor: RStudio

ProductMITRE ATT&CK® TTPContent
RStudio ServerT1078 - Valid Accounts
  • 1 Rules

Vendor: Radware

ProductMITRE ATT&CK® TTPContent
AlteonT1078 - Valid Accounts
  • 1 Rules

Vendor: RangerAudit

ProductMITRE ATT&CK® TTPContent
RangerAuditT1078 - Valid Accounts
  • 1 Rules

Vendor: Riverbed Steelhead

ProductMITRE ATT&CK® TTPContent
Riverbed SteelheadT1078 - Valid Accounts
  • 1 Rules

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: Ruckus

ProductMITRE ATT&CK® TTPContent
RuckusT1078 - Valid Accounts
  • 1 Rules

Vendor: Rundeck

ProductMITRE ATT&CK® TTPContent
RundeckT1078 - Valid Accounts
  • 1 Rules

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
SuccessFactorsT1078 - Valid Accounts
  • 1 Rules

Vendor: SIGSCI

ProductMITRE ATT&CK® TTPContent
SIGSCIT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Safenet

ProductMITRE ATT&CK® TTPContent
ThalesT1078 - Valid Accounts
  • 1 Rules

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1078 - Valid Accounts
  • 2 Rules

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1078 - Valid Accounts
  • 2 Rules

Vendor: Secomea

ProductMITRE ATT&CK® TTPContent
SecomeaT1078 - Valid Accounts
  • 1 Rules

Vendor: SecurEnvoy

ProductMITRE ATT&CK® TTPContent
SecurEnvoy Multi-Factor AuthenticationT1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1078 - Valid Accounts
  • 1 Rules
SecureAuth LoginT1078 - Valid Accounts
  • 1 Rules
ProductMITRE ATT&CK® TTPContent
SecureLinkT1078 - Valid Accounts
  • 1 Rules

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1078 - Valid Accounts
  • 2 Rules

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Event Viewer - SentineloneT1078 - Valid Accounts
  • 1 Rules
Singularity PlatformT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
VigilanceT1078 - Valid Accounts
  • 2 Rules

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1078 - Valid Accounts
  • 2 Rules

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

ProductMITRE ATT&CK® TTPContent
Silverfort Authentication PlatformT1078 - Valid Accounts
  • 2 Rules

Vendor: SiteMinder

ProductMITRE ATT&CK® TTPContent
Symantec SiteMinderT1078 - Valid Accounts
  • 1 Rules

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: Skyformation

ProductMITRE ATT&CK® TTPContent
SkyformationT1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

ProductMITRE ATT&CK® TTPContent
Skyhigh Security CloudT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Sophos

ProductMITRE ATT&CK® TTPContent
Sophos Endpoint ProtectionT1078 - Valid Accounts
  • 1 Rules
Sophos UTMT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sophos XG FirewallT1078 - Valid Accounts
  • 1 Rules

Vendor: Squid

ProductMITRE ATT&CK® TTPContent
SquidT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1078 - Valid Accounts
  • 2 Rules

Vendor: Swift

ProductMITRE ATT&CK® TTPContent
SwiftT1078 - Valid Accounts
  • 2 Rules

Vendor: Swivel

ProductMITRE ATT&CK® TTPContent
SwivelT1078 - Valid Accounts
  • 2 Rules

Vendor: Sybase

ProductMITRE ATT&CK® TTPContent
SybaseT1078 - Valid Accounts
  • 1 Rules

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec Advanced Threat ProtectionT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Symantec Critical System ProtectionT1078 - Valid Accounts
  • 1 Rules
Symantec DLPT1078 - Valid Accounts
  • 1 Rules
Symantec Endpoint ProtectionT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Symantec VIPT1078 - Valid Accounts
  • 1 Rules
Symantec Web Security ServiceT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1078 - Valid Accounts
  • 2 Rules
Tanium Core PlatformT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Tanium Integrity MonitorT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Tanium Threat ResponseT1078 - Valid Accounts
  • 1 Rules

Vendor: Tenable.io

ProductMITRE ATT&CK® TTPContent
Tenable.ioT1078 - Valid Accounts
  • 1 Rules

Vendor: Thales Group

ProductMITRE ATT&CK® TTPContent
Gemalto MFAT1078 - Valid Accounts
  • 1 Rules

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep Discovery InspectorT1078 - Valid Accounts
  • 2 Rules
Deep SecurityT1078 - Valid Accounts
  • 1 Rules
OfficeScanT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Trend Micro ScanMailT1078 - Valid Accounts
  • 1 Rules

Vendor: Tufin

ProductMITRE ATT&CK® TTPContent
Tufin SecureTrackT1078 - Valid Accounts
  • 1 Rules

Vendor: Tyco

ProductMITRE ATT&CK® TTPContent
CCURE Building Management SystemT1078 - Valid Accounts
  • 2 Rules

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
UnixT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Unix AuditdT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Unix NamedT1078 - Valid Accounts
  • 2 Rules
Unix dhcpdT1078 - Valid Accounts
  • 1 Rules
rsyslogT1078 - Valid Accounts
  • 2 Rules

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Carbon Black CEST1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Carbon Black EDRT1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
LastlineT1078 - Valid Accounts
  • 1 Rules
VMware AirWatchT1078 - Valid Accounts
  • 2 Rules
VMware ESXiT1078 - Valid Accounts
  • 1 Rules
VMware HorizonT1078 - Valid Accounts
  • 1 Rules
VMware Identity ManagerT1078 - Valid Accounts
  • 1 Rules
VMware ViewT1078 - Valid Accounts
  • 2 Rules
vCenterT1078 - Valid Accounts
  • 1 Rules

Vendor: Varonis

ProductMITRE ATT&CK® TTPContent
Varonis Data Security PlatformT1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito StreamT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules

Vendor: ViaScope

ProductMITRE ATT&CK® TTPContent
ViaScope IPScanT1078 - Valid Accounts
  • 1 Rules

Vendor: Watchguard

ProductMITRE ATT&CK® TTPContent
WatchguardT1078 - Valid Accounts
  • 1 Rules

Vendor: Wazuh

ProductMITRE ATT&CK® TTPContent
WazuhT1078 - Valid Accounts
  • 1 Rules

Vendor: Weblogin

ProductMITRE ATT&CK® TTPContent
WebloginT1078 - Valid Accounts
  • 1 Rules

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1078 - Valid Accounts
  • 1 Rules

Vendor: Workday

ProductMITRE ATT&CK® TTPContent
WorkdayT1078 - Valid Accounts
  • 1 Rules

Vendor: Xceedium

ProductMITRE ATT&CK® TTPContent
XceediumT1078 - Valid Accounts
  • 2 Rules

Vendor: Xiting

ProductMITRE ATT&CK® TTPContent
XAMST1078 - Valid Accounts
  • 2 Rules

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules

Vendor: Zendesk

ProductMITRE ATT&CK® TTPContent
ZendeskT1078 - Valid Accounts
  • 1 Rules

Vendor: Zscaler

ProductMITRE ATT&CK® TTPContent
Zscaler Internet AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Zscaler Private AccessT1078 - Valid Accounts
  • 1 Rules

Vendor:

Vendor: hMail

ProductMITRE ATT&CK® TTPContent
hMailServerT1078 - Valid Accounts
  • 1 Rules

Vendor: iManage

ProductMITRE ATT&CK® TTPContent
iManageT1078 - Valid Accounts
  • 1 Rules

Vendor: oVirt

ProductMITRE ATT&CK® TTPContent
oVirtT1078 - Valid Accounts
  • 1 Rules