ds_microsoft_microsoft.md

Vendor: Microsoft

Product: Microsoft

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
469	107	125	11	11

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	account-disabled ↳microsoft-azuread-json-user-disable-success-accountdisable account-password-change ↳microsoft-azuread-sk4-user-password-modify-success-changepassword ↳microsoft-azuread-sk4-user-password-modify-success-userpasswordchange account-unlocked ↳microsoft-azuread-json-user-unlock-success-useraccountunlock app-activity ↳microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff ↳microsoft-o365-json-app-activity-success-graphdirectoryauditlogs app-login ↳microsoft-defenderep-cef-endpoint-scan-antivirusscan ↳microsoft-defenderep-cef-service-create-serviceinstalled audit-log-clear ↳microsoft-defenderep-cef-process-memory-allocate-advancedhunting member-removed ↳microsoft-azuread-json-group-member-remove-success-groupmemberremoved	T1078 - Valid Accounts T1133 - External Remote Services	12 Rules 4 Models
Account Manipulation	account-password-change ↳microsoft-azuread-sk4-user-password-modify-success-changepassword ↳microsoft-azuread-sk4-user-password-modify-success-userpasswordchange app-activity ↳microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff ↳microsoft-o365-json-app-activity-success-graphdirectoryauditlogs member-removed ↳microsoft-azuread-json-group-member-remove-success-groupmemberremoved process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	32 Rules 15 Models
Audit Tampering	audit-log-clear ↳microsoft-defenderep-cef-process-memory-allocate-advancedhunting process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.002 - T1562.002 T1562.006 - T1562.006	8 Rules 2 Models
Cryptomining	process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1496 - Resource Hijacking	1 Rules
Data Exfiltration	file-write ↳microsoft-defenderep-cef-file-devicefileevents process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1003 - OS Credential Dumping T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1059 - Command and Scripting Interperter T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1071.004 - Application Layer Protocol: DNS T1552.001 - T1552.001 T1560 - Archive Collected Data T1572 - Protocol Tunneling TA0002 - TA0002	9 Rules 1 Models
Data Leak	app-activity ↳microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff ↳microsoft-o365-json-app-activity-success-graphdirectoryauditlogs file-write ↳microsoft-defenderep-cef-file-devicefileevents	T1114.001 - T1114.001 T1114.003 - Email Collection: Email Forwarding Rule	4 Rules
Destruction of Data	file-delete ↳microsoft-defenderep-cef-file-devicefileevents	T1070.004 - Indicator Removal on Host: File Deletion T1485 - Data Destruction	1 Rules
Evasion	audit-log-clear ↳microsoft-defenderep-cef-process-memory-allocate-advancedhunting process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1036.005 - Masquerading: Match Legitimate Name or Location T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.005 - T1059.005 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1105 - Ingress Tool Transfer T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1140 - Deobfuscate/Decode Files or Information T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.008 - T1218.008 T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1484.001 - T1484.001 T1542.003 - T1542.003 T1543.003 - Create or Modify System Process: Windows Service T1552.006 - T1552.006 T1562 - Impair Defenses T1562.001 - T1562.001 T1562.004 - Impair Defenses: Disable or Modify System Firewall T1562.006 - T1562.006 T1564.001 - T1564.001 T1564.004 - Hide Artifacts: NTFS File Attributes T1574 - Hijack Execution Flow	45 Rules 3 Models
Phishing	process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1566.001 - T1566.001	1 Rules
Privilege Escalation	app-activity ↳microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff ↳microsoft-o365-json-app-activity-success-graphdirectoryauditlogs process-created ↳microsoft-defenderep-json-process-create-success-processevents	T1003 - OS Credential Dumping T1007 - System Service Discovery T1012 - Query Registry T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1033 - System Owner/User Discovery T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1049 - System Network Connections Discovery T1053.002 - Scheduled Task/Job: At (Windows) T1053.005 - Scheduled Task/Job: Scheduled Task T1057 - Process Discovery T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1068 - Exploitation for Privilege Escalation T1082 - System Information Discovery T1087 - Account Discovery T1087.001 - Account Discovery: Local Account T1087.002 - Account Discovery: Domain Account T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.003 - Signed Binary Proxy Execution: CMSTP T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1482 - Domain Trust Discovery T1484.001 - T1484.001 T1518.001 - T1518.001 T1543.003 - Create or Modify System Process: Windows Service T1547.002 - T1547.002 T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1552.006 - T1552.006 T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.011 - T1574.011	47 Rules 7 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Exploit Public Fasing Application Phishing	Windows Management Instrumentation Command and Scripting Interperter Scheduled Task/Job Inter-Process Communication System Services Exploitation for Client Execution User Execution Scheduled Task/Job: Scheduled Task Command and Scripting Interperter: PowerShell Scheduled Task/Job: At (Windows)	Pre-OS Boot Create Account Create or Modify System Process External Remote Services Valid Accounts Hijack Execution Flow Server Software Component: Web Shell Account Manipulation BITS Jobs Create or Modify System Process: Windows Service Scheduled Task/Job Server Software Component Event Triggered Execution Boot or Logon Autostart Execution Create Account: Create: Local Account Account Manipulation: Exchange Email Delegate Permissions	Access Token Manipulation: Token Impersonation/Theft Create or Modify System Process Valid Accounts Access Token Manipulation Exploitation for Privilege Escalation Hijack Execution Flow Group Policy Modification Process Injection Scheduled Task/Job Abuse Elevation Control Mechanism Event Triggered Execution Boot or Logon Autostart Execution Process Injection: Dynamic-link Library Injection Abuse Elevation Control Mechanism: Bypass User Account Control	Hide Artifacts Indirect Command Execution Impair Defenses Indicator Removal on Host: Clear Windows Event Logs Group Policy Modification Trusted Developer Utilities Proxy Execution Masquerading: Match Legitimate Name or Location Masquerading: Rename System Utilities File and Directory Permissions Modification: Windows File and Directory Permissions Modification Obfuscated Files or Information: Compile After Delivery Obfuscated Files or Information: Indicator Removal from Tools Hijack Execution Flow: DLL Side-Loading Indicator Removal on Host: File Deletion Masquerading Valid Accounts Modify Registry BITS Jobs Use Alternate Authentication Material Hide Artifacts: NTFS File Attributes Indicator Removal on Host Use Alternate Authentication Material: Pass the Ticket Pre-OS Boot File and Directory Permissions Modification Deobfuscate/Decode Files or Information Abuse Elevation Control Mechanism Impair Defenses: Disable or Modify System Firewall Obfuscated Files or Information Signed Binary Proxy Execution: Compiled HTML File Access Token Manipulation Hijack Execution Flow Process Injection Signed Binary Proxy Execution: Msiexec Signed Binary Proxy Execution Signed Binary Proxy Execution: Regsvcs/Regasm Signed Binary Proxy Execution: CMSTP Signed Binary Proxy Execution: Control Panel Signed Binary Proxy Execution: InstallUtil Signed Binary Proxy Execution: Regsvr32 Trusted Developer Utilities Proxy Execution: MSBuild Signed Binary Proxy Execution: Rundll32	OS Credential Dumping Unsecured Credentials Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting Network Sniffing	Account Discovery Domain Trust Discovery System Service Discovery System Network Connections Discovery Account Discovery: Local Account Account Discovery: Domain Account File and Directory Discovery Network Sniffing System Information Discovery Network Share Discovery Query Registry Process Discovery System Owner/User Discovery Software Discovery Remote System Discovery System Network Configuration Discovery	Exploitation of Remote Services Remote Service Session Hijacking Remote Services Remote Services: SMB/Windows Admin Shares Use Alternate Authentication Material Remote Services: Remote Desktop Protocol	Screen Capture Email Collection Audio Capture Archive Collected Data Email Collection: Email Forwarding Rule	Protocol Tunneling Application Layer Protocol: DNS Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Remote Access Software Ingress Tool Transfer Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over C2 Channel	Account Access Removal Data Destruction Resource Hijacking Data Encrypted for Impact Inhibit System Recovery