Use Case: Malware

June 15, 2026 · View on GitHub

Use Case: Malware

Vendor: 1password

ProductMITRE ATT&CK® TTPContent
1passwordT1078 - Valid Accounts
  • 1 Rules

Vendor: AIM Security

ProductMITRE ATT&CK® TTPContent
AI SecurityTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: APC

ProductMITRE ATT&CK® TTPContent
APCT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Abnormal Security

ProductMITRE ATT&CK® TTPContent
Abnormal SecurityT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1078 - Valid Accounts
  • 1 Rules

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Admin By Request

ProductMITRE ATT&CK® TTPContent
Admin By RequestTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Adobe

ProductMITRE ATT&CK® TTPContent
Adobe Experience ManagerT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 26 Rules
  • 7 Models

Vendor: Akamai

ProductMITRE ATT&CK® TTPContent
Akamai GuardicoreT1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 9 Rules
  • 2 Models
Akamai SIEMT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
Cloud AkamaiT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS BastionT1210 - Exploitation of Remote Services
  • 1 Rules
AWS CloudTrailT1037 - Boot or Logon Initialization Scripts
T1078 - Valid Accounts
T1204 - User Execution
T1204.002 - T1204.002
T1204.003 - T1204.003
TA0002 - TA0002
  • 7 Rules
  • 4 Models
AWS CloudWatchT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models
AWS Elastic Load BalancerT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
AWS GuardDutyTA0002 - TA0002
  • 4 Rules
  • 2 Models
AWS Network FirewallTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
AWS Simple Email ServiceT1190 - Exploit Public Fasing Application
  • 1 Rules
AWS WAFT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Amazon EKST1078 - Valid Accounts
  • 1 Rules
Amazon InspectorTA0002 - TA0002
  • 4 Rules
  • 2 Models
Amazon Route 53T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules
Amazon S3T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 27 Rules
  • 8 Models
VPC Flow LogsTA0011 - TA0011
  • 4 Rules

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
ApacheT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: AppSense

ProductMITRE ATT&CK® TTPContent
AppSense Application ManagerT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 25 Rules
  • 7 Models

Vendor: Apple

ProductMITRE ATT&CK® TTPContent
macOST1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Arbor

ProductMITRE ATT&CK® TTPContent
Arbor CloudTA0011 - TA0011
  • 2 Rules

Vendor: Arctic Wolf

ProductMITRE ATT&CK® TTPContent
Cylance ProtectTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Armorblox

ProductMITRE ATT&CK® TTPContent
ArmorbloxT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: AssetView

ProductMITRE ATT&CK® TTPContent
AssetViewT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
AtlassianT1078 - Valid Accounts
  • 1 Rules
Atlassian GuardTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Attivo

ProductMITRE ATT&CK® TTPContent
BOTsinkTA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models

Vendor: Barracuda

ProductMITRE ATT&CK® TTPContent
Barracuda Cloudgen FirewallT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
TA0011 - TA0011
  • 11 Rules
  • 2 Models
Barracuda Email Security GatewayT1190 - Exploit Public Fasing Application
  • 1 Rules
Barracuda WAFTA0011 - TA0011
  • 3 Rules

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
BeyondTrustT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
BeyondTrust Remote SupportT1078 - Valid Accounts
  • 1 Rules
BeyondTrust Secure Remote AccessT1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: Bitdefender

ProductMITRE ATT&CK® TTPContent
GravityZoneTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Bitglass

ProductMITRE ATT&CK® TTPContent
Bitglass CASBT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models

Vendor: BlackBerry

ProductMITRE ATT&CK® TTPContent
BlackBerry ProtectT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 28 Rules
  • 8 Models

Vendor: BlueCat Networks

ProductMITRE ATT&CK® TTPContent
BlueCat NetworksT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules

Vendor: Box

ProductMITRE ATT&CK® TTPContent
Box Cloud Content ManagementT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models
Box ShieldTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: CA Technologies

ProductMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server ControlT1078 - Valid Accounts
  • 1 Rules

Vendor: CDS

ProductMITRE ATT&CK® TTPContent
CDST1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Canon

ProductMITRE ATT&CK® TTPContent
imageRUNNER ADVANCET1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: CatoNetworks

ProductMITRE ATT&CK® TTPContent
Cato CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point Anti-MalwareTA0002 - TA0002
  • 4 Rules
  • 2 Models
Check Point AvananT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Check Point Endpoint SecurityT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Check Point Identity AwarenessT1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 9 Rules
  • 2 Models
Check Point NGFWT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 35 Rules
  • 9 Models
Check Point Security GatewayT1078 - Valid Accounts
  • 1 Rules
Check Point Threat EmulationTA0002 - TA0002
  • 4 Rules
  • 2 Models
Harmony Email & CollaborationT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Harmony SaaSTA0002 - TA0002
  • 4 Rules
  • 2 Models
SmartDefenseTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Checkmarx

ProductMITRE ATT&CK® TTPContent
CheckmarxT1078 - Valid Accounts
  • 1 Rules

Vendor: Cimcor

ProductMITRE ATT&CK® TTPContent
CimTrakT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
CiscoT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 2 Rules
Cisco Adaptive Security ApplianceTA0011 - TA0011
  • 3 Rules
Cisco Cloud SecurityT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models
Cisco CollaborationT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Cisco Cyber VisionT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Cisco Data CenterT1078 - Valid Accounts
  • 1 Rules
Cisco Email SecurityT1190 - Exploit Public Fasing Application
  • 1 Rules
Cisco IOST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 167 Rules
  • 26 Models
Cisco Identity IntelligenceTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Identity and Access ManagementT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Cisco Network Infrastructure and ManagementT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Cisco Network Monitoring and AnalyticsTA0011 - TA0011
  • 4 Rules
Cisco Network SecurityT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 202 Rules
  • 33 Models
Cisco Remote Access SecurityT1078 - Valid Accounts
  • 1 Rules
Cisco Secure EndpointTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Secure Firewall Management CenterT1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Cisco Secure Network AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Web SecurityT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Duo AccessT1078 - Valid Accounts
  • 1 Rules

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 194 Rules
  • 33 Models
Citrix Secure Private AccessTA0011 - TA0011
  • 4 Rules
Citrix Security AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Citrix Virtual AppsT1078 - Valid Accounts
  • 1 Rules
Citrix Web App FirewallTA0011 - TA0011
  • 4 Rules

Vendor: Claroty

ProductMITRE ATT&CK® TTPContent
CTDT1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
ClarotyTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1078 - Valid Accounts
  • 1 Rules

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare InsightsT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 28 Rules
  • 7 Models
Cloudflare WAFT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Commvault

ProductMITRE ATT&CK® TTPContent
CommvaultT1078 - Valid Accounts
  • 1 Rules
Commvault ThreatWiseTA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models

Vendor: Corelight

ProductMITRE ATT&CK® TTPContent
Corelight IDSTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 216 Rules
  • 46 Models
Identity Threat Detection & ResponseT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Privilege Access ManagerT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 15 Rules
  • 5 Models

Vendor: Cybereason

ProductMITRE ATT&CK® TTPContent
CybereasonTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cyberhaven

ProductMITRE ATT&CK® TTPContent
Cyberhaven DLPTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cyera

ProductMITRE ATT&CK® TTPContent
Omni DLPTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cylance

ProductMITRE ATT&CK® TTPContent
Cylance OPTICST1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 36 Rules
  • 10 Models

Vendor: Cynet

ProductMITRE ATT&CK® TTPContent
Cynet EDRT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models

Vendor: Darktrace

ProductMITRE ATT&CK® TTPContent
DarktraceT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Audit and Monitoring ServiceT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models
Centrify Authentication ServiceT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Centrify Infrastructure ServicesT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Centrify Zero Trust Privilege ServicesT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Delinea PlatformT1078 - Valid Accounts
  • 1 Rules
Secret ServerT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
EMC IsilonT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models
PowerProtectT1078 - Valid Accounts
  • 1 Rules
PowerProtect Data ManagerT1078 - Valid Accounts
  • 1 Rules
PowerStoreT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
SonicwallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models

Vendor: Digital Arts

ProductMITRE ATT&CK® TTPContent
Digital Arts i-FILTER for BusinessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
Digital Guardian Network DLPT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 178 Rules
  • 29 Models

Vendor: Dnsmasq

ProductMITRE ATT&CK® TTPContent
DnsmasqT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 173 Rules
  • 29 Models

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Egnyte

ProductMITRE ATT&CK® TTPContent
EgnyteT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: Entrust

ProductMITRE ATT&CK® TTPContent
Entrust Identity EnterpriseT1078 - Valid Accounts
  • 1 Rules

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Ermes

ProductMITRE ATT&CK® TTPContent
Ermes Browser Security PlatformT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Exabeam

ProductMITRE ATT&CK® TTPContent
Correlation RuleTA0002 - TA0002
  • 4 Rules
  • 2 Models
Phishing DetectionT1190 - Exploit Public Fasing Application
  • 1 Rules
SearchTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Extrahop

ProductMITRE ATT&CK® TTPContent
Extrahop Reveal(x)T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
  • 8 Rules
  • 2 Models

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
EXOST1078 - Valid Accounts
  • 1 Rules
Platform ONET1078 - Valid Accounts
  • 1 Rules
Universal ZTNAT1078 - Valid Accounts
  • 1 Rules
Zebra WLAN ManagementT1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: F-Secure

ProductMITRE ATT&CK® TTPContent
F-Secure Client SecurityTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: F5

ProductMITRE ATT&CK® TTPContent
BIG-IP F5 LBRTA0002 - TA0002
  • 4 Rules
  • 2 Models
F5 Access Policy ManagerT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0011 - TA0011
  • 4 Rules
F5 Advanced Firewall ManagerTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
F5 Advanced Web Application FirewallTA0011 - TA0011
  • 2 Rules
F5 Application Security ManagerTA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models
F5 BIG-IPT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
TA0011 - TA0011
  • 10 Rules
  • 2 Models
F5 BIG-IP DNST1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules
F5 Distributed CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
F5 SilverlineTA0002 - TA0002
TA0011 - TA0011
  • 6 Rules
  • 2 Models
F5 WebSafeT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
NGINXTA0011 - TA0011
  • 4 Rules

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Fastly

ProductMITRE ATT&CK® TTPContent
Next-Gen Web Application FirewallTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: FireMon

ProductMITRE ATT&CK® TTPContent
FireMonT1078 - Valid Accounts
  • 1 Rules

Vendor: Forcepoint

ProductMITRE ATT&CK® TTPContent
Forcepoint DLPT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Forcepoint Email SecurityT1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Next-Gen FirewallTA0011 - TA0011
  • 4 Rules
Websense Security GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Forescout

ProductMITRE ATT&CK® TTPContent
Forescout CounterACTTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
FortiAuthenticatorT1078 - Valid Accounts
  • 1 Rules
FortiClientT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
FortiGateT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 39 Rules
  • 9 Models
FortiNACT1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 5 Rules
  • 2 Models
FortiSIEMT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
FortiXDRT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 25 Rules
  • 7 Models
Fortinet Enterprise FirewallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models
Fortinet UTMT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
Fortinet VPNTA0011 - TA0011
  • 3 Rules
Fortiweb Web Application FirewallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: FreeBSD

ProductMITRE ATT&CK® TTPContent
FreeBSDT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models

Vendor: Gamma

ProductMITRE ATT&CK® TTPContent
GammaTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models

Vendor: GoAnywhere

ProductMITRE ATT&CK® TTPContent
GoAnywhere MFTT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Google

ProductMITRE ATT&CK® TTPContent
GCP CloudAuditT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Google Cloud PlatformT1037 - Boot or Logon Initialization Scripts
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1204.003 - T1204.003
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 38 Rules
  • 12 Models
Google WorkspaceT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Security Command CenterTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba ClearPass Policy ManagerT1078 - Valid Accounts
  • 1 Rules
Aruba Mobility MasterT1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controllerT1078 - Valid Accounts
  • 1 Rules
ArubaOST1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
HP iLOT1078 - Valid Accounts
  • 1 Rules

Vendor: HUMAN Security

ProductMITRE ATT&CK® TTPContent
HUMAN Bot DefenderT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Halcyon

ProductMITRE ATT&CK® TTPContent
HalcyonTA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 175 Rules
  • 29 Models

Vendor: Hornet

ProductMITRE ATT&CK® TTPContent
Hornetsecurity Cloud Email Security ServicesT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Enterprise Network FirewallTA0011 - TA0011
  • 4 Rules
Huawei Unified Security GatewayT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
GuardiumTA0002 - TA0002
  • 2 Rules
  • 1 Models
HCL NotesTA0011 - TA0011
  • 3 Rules
IBMT1078 - Valid Accounts
  • 1 Rules
IBM DatapowerT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0011 - TA0011
  • 10 Rules
IBM MainframeT1078 - Valid Accounts
  • 1 Rules
QRadar SIEMTA0002 - TA0002
  • 4 Rules
  • 2 Models
Security Access ManagerT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: IMSS

ProductMITRE ATT&CK® TTPContent
IMSSTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: IMSVA

ProductMITRE ATT&CK® TTPContent
IMSVAT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: IPTables

ProductMITRE ATT&CK® TTPContent
IPTables FWTA0011 - TA0011
  • 4 Rules

Vendor: Illumio

ProductMITRE ATT&CK® TTPContent
Illumio CoreTA0011 - TA0011
  • 4 Rules

Vendor: Imperva

ProductMITRE ATT&CK® TTPContent
Attack AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Imperva IncapsulaT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Imperva SecureSphereT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Imprivata

ProductMITRE ATT&CK® TTPContent
ImprivataT1078 - Valid Accounts
  • 1 Rules

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 48 Rules
  • 12 Models

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Ironscales

ProductMITRE ATT&CK® TTPContent
IronscalesT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules

Vendor: Island

ProductMITRE ATT&CK® TTPContent
Island Enterprise BrowserT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 26 Rules
  • 7 Models

Vendor: Jamf

ProductMITRE ATT&CK® TTPContent
Jamf ProtectT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 168 Rules
  • 26 Models

Vendor: Jumpcloud

ProductMITRE ATT&CK® TTPContent
JumpcloudT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Juniper SRX SeriesT1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 9 Rules
  • 2 Models
Junos OST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models

Vendor: Kasada

ProductMITRE ATT&CK® TTPContent
KasadaT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Kaspersky

ProductMITRE ATT&CK® TTPContent
Kaspersky Endpoint Security for BusinessTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Kong

ProductMITRE ATT&CK® TTPContent
Kong GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 27 Rules
  • 9 Models

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1078 - Valid Accounts
  • 1 Rules

Vendor: Libraesva

ProductMITRE ATT&CK® TTPContent
Libraesva Email SecurityT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: LiquidFiles

ProductMITRE ATT&CK® TTPContent
LiquidFilesT1078 - Valid Accounts
  • 1 Rules

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 176 Rules
  • 28 Models
NetMonTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models

Vendor: Lookout

ProductMITRE ATT&CK® TTPContent
LookoutTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Malwarebytes

ProductMITRE ATT&CK® TTPContent
Malwarebytes Endpoint ProtectionTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADManager PlusTA0002 - TA0002
  • 4 Rules
  • 2 Models
ADSSPT1078 - Valid Accounts
  • 1 Rules
PAM360T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
McAfee Web GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Menlo Security

ProductMITRE ATT&CK® TTPContent
Menlo SecurityT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Active Directory Federation ServicesT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models
Azure AD Activity LogsT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 4 Rules
Azure AD Sign-In LogsT1078 - Valid Accounts
  • 1 Rules
Azure ATPT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Azure Container RegistryT1078 - Valid Accounts
  • 1 Rules
Azure Event HubTA0002 - TA0002
  • 4 Rules
  • 2 Models
Azure FirewallT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0011 - TA0011
  • 7 Rules
Azure Key VaultT1078 - Valid Accounts
  • 1 Rules
Azure MFAT1078 - Valid Accounts
  • 1 Rules
Azure MonitorT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1204.003 - T1204.003
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 51 Rules
  • 16 Models
Azure Monitor - VM InsightsT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Azure Network WatcherTA0011 - TA0011
  • 4 Rules
CopilotTA0002 - TA0002
  • 4 Rules
  • 2 Models
Event Viewer - ADFST1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models
Event Viewer - ApplicationT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 167 Rules
  • 26 Models
Event Viewer - ApplockerTA0002 - TA0002
  • 4 Rules
  • 2 Models
Event Viewer - AzureADPasswordProtection-DCAgentT1072 - Software Deployment Tools
T1078 - Valid Accounts
T1546 - Event Triggered Execution
T1546.003 - T1546.003
TA0002 - TA0002
  • 4 Rules
Event Viewer - CodeIntegrityT1072 - Software Deployment Tools
T1546 - Event Triggered Execution
T1546.003 - T1546.003
TA0002 - TA0002
  • 3 Rules
Event Viewer - DNSClientT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules
Event Viewer - DNSServerT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0011 - TA0011
  • 7 Rules
Event Viewer - NPST1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLMT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - OpenSSHT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - PowerShellT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Event Viewer - SMBT1078 - Valid Accounts
T1569 - System Services
T1569.002 - T1569.002
  • 2 Rules
Event Viewer - SecurityT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 246 Rules
  • 58 Models
Event Viewer - SystemT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 190 Rules
  • 38 Models
Event Viewer - TaskSchedulerT1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
TA0002 - TA0002
  • 13 Rules
  • 9 Models
Event Viewer - TerminalServices-GatewayT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - TerminalServices-RemoteConnectionManagerT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - WinNatT1078 - Valid Accounts
  • 1 Rules
M365 Audit LogsT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
MSSQLT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 49 Rules
  • 13 Models
Microsoft 365T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 39 Rules
  • 12 Models
Microsoft Advanced Threat AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft CAST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Microsoft DHCP LogTA0011 - TA0011
  • 3 Rules
Microsoft DNS LogT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules
Microsoft DefenderT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 244 Rules
  • 59 Models
Microsoft Defender for CloudTA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft Defender for EndpointTA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft EntraTA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft ExchangeT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Microsoft IIST1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Microsoft Network Policy ServerT1078 - Valid Accounts
  • 1 Rules
Microsoft PurviewTA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft RRAST1078 - Valid Accounts
  • 1 Rules
Microsoft SentinelT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
Microsoft WMI LogT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
NetLogonT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Network Security Group Flow LogsTA0011 - TA0011
  • 4 Rules
SysmonT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 188 Rules
  • 33 Models
Windows Defender Application ControlT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models
Mimecast Secure Email GatewayT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Mimecast Targeted Threat Protection - URLT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Mvision

ProductMITRE ATT&CK® TTPContent
MvisionTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nasuni

ProductMITRE ATT&CK® TTPContent
NasuniT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: NetApp

ProductMITRE ATT&CK® TTPContent
NetAppTA0002 - TA0002
  • 2 Rules
  • 1 Models
NetApp OntapT1078 - Valid Accounts
  • 1 Rules

Vendor: NetMotion Wireless

ProductMITRE ATT&CK® TTPContent
NetMotion WirelessT1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope Security CloudT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 43 Rules
  • 12 Models
Netskope WebtxT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 28 Rules
  • 7 Models

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 37 Rules
  • 12 Models

Vendor: Nightfall

ProductMITRE ATT&CK® TTPContent
Nightfall AITA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nozomi Networks

ProductMITRE ATT&CK® TTPContent
Nozomi Networks GuardianTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: OSSEC

ProductMITRE ATT&CK® TTPContent
OSSECTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Obsidian Security

ProductMITRE ATT&CK® TTPContent
SaaS SecurityTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Okta Workforce Identity CloudT1078 - Valid Accounts
  • 1 Rules

Vendor: Onapsis

ProductMITRE ATT&CK® TTPContent
OnapsisTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1078 - Valid Accounts
  • 1 Rules

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1078 - Valid Accounts
  • 1 Rules

Vendor: OpenAI

ProductMITRE ATT&CK® TTPContent
ChatGPTT1078 - Valid Accounts
  • 1 Rules

Vendor: OpenDJ

ProductMITRE ATT&CK® TTPContent
OpenDJT1078 - Valid Accounts
  • 1 Rules

Vendor: OpenLDAP

ProductMITRE ATT&CK® TTPContent
OpenLDAPT1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle Public CloudT1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
SolarisT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models

Vendor: Ordr

ProductMITRE ATT&CK® TTPContent
Ordr AI ProtectTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
Cortex XDRT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 28 Rules
  • 8 Models
Cortex XSOART1078 - Valid Accounts
  • 1 Rules
GlobalProtectT1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
Palo Alto ApertureT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models
Palo Alto NGFWT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 37 Rules
  • 9 Models
Palo Alto WildFireTA0002 - TA0002
  • 4 Rules
  • 2 Models
Prisma AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models
Prisma CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
ForgeRockT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Ping AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Ping IdentityT1078 - Valid Accounts
  • 1 Rules
PingFederateT1078 - Valid Accounts
  • 1 Rules
PingOneT1078 - Valid Accounts
  • 1 Rules

Vendor: Portnox

ProductMITRE ATT&CK® TTPContent
Portnox CloudT1078 - Valid Accounts
  • 1 Rules

Vendor: Postfix

ProductMITRE ATT&CK® TTPContent
PostfixT1190 - Exploit Public Fasing Application
TA0011 - TA0011
  • 3 Rules

Vendor: PowerDNS

ProductMITRE ATT&CK® TTPContent
PowerDNS RecursorT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules

Vendor: Progress

ProductMITRE ATT&CK® TTPContent
Progress ShareFileT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Proofpoint

ProductMITRE ATT&CK® TTPContent
ObserveITTA0002 - TA0002
  • 4 Rules
  • 2 Models
Proofpoint CASBTA0002 - TA0002
  • 4 Rules
  • 2 Models
Proofpoint Email ProtectionT1190 - Exploit Public Fasing Application
  • 1 Rules
Proofpoint Enterprise ProtectionT1190 - Exploit Public Fasing Application
  • 1 Rules
Targeted Attack PlatformT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Qualys

ProductMITRE ATT&CK® TTPContent
Qualys AssetViewT1078 - Valid Accounts
  • 1 Rules

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
RSA Authentication ManagerT1078 - Valid Accounts
  • 1 Rules
SecurIDT1078 - Valid Accounts
  • 1 Rules

Vendor: Radware

ProductMITRE ATT&CK® TTPContent
Radware WAFTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Rapid7

ProductMITRE ATT&CK® TTPContent
Rapid7 InsightVMTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: RedShield

ProductMITRE ATT&CK® TTPContent
RedShield WAFTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1078 - Valid Accounts
  • 1 Rules

Vendor: SIGSCI

ProductMITRE ATT&CK® TTPContent
SIGSCIT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1078 - Valid Accounts
  • 1 Rules

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 31 Rules
  • 9 Models

Vendor: Sangfor

ProductMITRE ATT&CK® TTPContent
Sangfor NGAFT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Secomea

ProductMITRE ATT&CK® TTPContent
SecomeaT1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
SecureAuth LoginT1078 - Valid Accounts
  • 1 Rules
ProductMITRE ATT&CK® TTPContent
SecureLinkT1078 - Valid Accounts
  • 1 Rules

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Singularity PlatformT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 225 Rules
  • 48 Models
VigilanceT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

ProductMITRE ATT&CK® TTPContent
Silverfort Authentication PlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: SiteMinder

ProductMITRE ATT&CK® TTPContent
Symantec SiteMinderT1078 - Valid Accounts
  • 1 Rules

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 200 Rules
  • 36 Models

Vendor: Skyformation

ProductMITRE ATT&CK® TTPContent
SkyformationT1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

ProductMITRE ATT&CK® TTPContent
Secure Web GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Skyhigh CASBT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Skyhigh Security CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models

Vendor: Snort

ProductMITRE ATT&CK® TTPContent
SnortTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Sophos

ProductMITRE ATT&CK® TTPContent
Sophos Endpoint ProtectionT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 31 Rules
  • 9 Models
Sophos UTMT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models
Sophos XG FirewallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models
Sophos XGS FirewallT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Splunk

ProductMITRE ATT&CK® TTPContent
Splunk StreamT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules

Vendor: Squid

ProductMITRE ATT&CK® TTPContent
SquidT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1078 - Valid Accounts
  • 1 Rules

Vendor: Suricata

ProductMITRE ATT&CK® TTPContent
SuricataTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Swift

ProductMITRE ATT&CK® TTPContent
SwiftT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 27 Rules
  • 7 Models

Vendor: Swimlane

ProductMITRE ATT&CK® TTPContent
Swimlane TurbineT1078 - Valid Accounts
  • 1 Rules

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec Advanced Threat ProtectionT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
TA0011 - TA0011
  • 30 Rules
  • 8 Models
Symantec CloudSOCT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Content Analysis SystemTA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec DLPT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Email SecurityT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Endpoint ProtectionT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
TA0011 - TA0011
  • 31 Rules
  • 8 Models
Symantec VIPT1078 - Valid Accounts
  • 1 Rules
Symantec Web Security ServiceT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models

Vendor: Synology NAS

ProductMITRE ATT&CK® TTPContent
Synology NAST1569 - System Services
T1569.002 - T1569.002
  • 1 Rules

Vendor: Sysdig

ProductMITRE ATT&CK® TTPContent
Sysdig MonitorT1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 25 Rules
  • 7 Models

Vendor: TXOne Networks

ProductMITRE ATT&CK® TTPContent
StellarProtectTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1078 - Valid Accounts
  • 1 Rules
Tanium Core PlatformTA0002 - TA0002
  • 4 Rules
  • 2 Models
Tanium Integrity MonitorT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models
Tanium Threat ResponseTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tenable

ProductMITRE ATT&CK® TTPContent
Tenable Cloud SecurityT1078 - Valid Accounts
  • 1 Rules
Tenable Identity ExposureTA0002 - TA0002
  • 4 Rules
  • 2 Models
Tenable Vulnerability ManagementTA0002 - TA0002
  • 4 Rules
  • 2 Models
Tenable Web App ScanningTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tessian

ProductMITRE ATT&CK® TTPContent
Tessian Cloud Email SecurityT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: ThoughtSpot

ProductMITRE ATT&CK® TTPContent
ThoughtSpotT1078 - Valid Accounts
  • 1 Rules

Vendor: ThreatBlockr

ProductMITRE ATT&CK® TTPContent
ThreatBlockrT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 6 Rules

Vendor: Trellix

ProductMITRE ATT&CK® TTPContent
Trellix Central ManagementTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix DLP EndpointTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix Database SecurityTA0002 - TA0002
  • 2 Rules
  • 1 Models
Trellix Email SecurityTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix Endpoint SecurityT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1047 - Windows Management Instrumentation
T1059 - Command and Scripting Interperter
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1190 - Exploit Public Fasing Application
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 19 Rules
  • 6 Models
Trellix Endpoint Security (HX)TA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix HelixTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix Network Security (NX)T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 48 Rules
  • 12 Models
Trellix Network Security PlatformTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix Web MPSTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trellix ePolicy OrchestratorTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Apex OneTA0002 - TA0002
  • 4 Rules
  • 2 Models
Deep Discovery InspectorT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Deep SecurityT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 201 Rules
  • 45 Models
OfficeScanTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
TippingPoint NGIPSTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trend Micro ScanMailTA0002 - TA0002
  • 4 Rules
  • 2 Models
Vision OneT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Tripwire Enterprise

ProductMITRE ATT&CK® TTPContent
Tripwire EnterpriseTA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 172 Rules
  • 28 Models
UnixT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 183 Rules
  • 29 Models
Unix AuditdT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 168 Rules
  • 26 Models
Unix NamedT1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules
Unix SendmailT1190 - Exploit Public Fasing Application
  • 1 Rules
rsyslogTA0011 - TA0011
  • 2 Rules

Vendor: VBCorp

ProductMITRE ATT&CK® TTPContent
VBCorpTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 173 Rules
  • 31 Models
Carbon Black CEST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 181 Rules
  • 31 Models
Carbon Black EDRT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 189 Rules
  • 34 Models
VMware AirWatchT1078 - Valid Accounts
  • 1 Rules
VMware ESXiT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
VMware HorizonT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
VMware Identity ManagerTA0002 - TA0002
  • 4 Rules
  • 2 Models
VMware NSXTA0011 - TA0011
  • 4 Rules
VMware ViewT1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
vCenterT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Varonis

ProductMITRE ATT&CK® TTPContent
Varonis Data Security PlatformT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito DetectT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Veeam

ProductMITRE ATT&CK® TTPContent
VeeamTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Virtru

ProductMITRE ATT&CK® TTPContent
VirtruTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Vormetric

ProductMITRE ATT&CK® TTPContent
VormetricT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: Watchguard

ProductMITRE ATT&CK® TTPContent
WatchguardT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Workday

ProductMITRE ATT&CK® TTPContent
WorkdayT1078 - Valid Accounts
  • 1 Rules

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 51 Rules
  • 12 Models

Vendor: ZeroFox

ProductMITRE ATT&CK® TTPContent
ZeroFox ProtectionTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Zimperium

ProductMITRE ATT&CK® TTPContent
Zimperium MTDTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Zscaler

ProductMITRE ATT&CK® TTPContent
FW Zscaler CloudTA0011 - TA0011
  • 4 Rules
Zscaler Breach PredictorT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Zscaler DeceptionTA0002 - TA0002
  • 4 Rules
  • 2 Models
Zscaler Internet AccessT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 47 Rules
  • 12 Models
Zscaler Private AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models

Vendor: Zyxel Networks

ProductMITRE ATT&CK® TTPContent
Zyxel USG FLEXTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models

Vendor:

Vendor: iBoss

ProductMITRE ATT&CK® TTPContent
Iboss CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: pfSense

ProductMITRE ATT&CK® TTPContent
pfSenseTA0011 - TA0011
  • 4 Rules