Vendor: SentinelOne Product: Singularity Platform Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 703 208 148 22 22 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access account-creation ↳sentinelone-singularityp-json-alert-trigger-success-indicators app-activity ↳sentinelone-singularityp-kv-app-activity-success-malware ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask app-login ↳sentinelone-singularityp-sk4-registry-create-regvaluecreate ↳sentinelone-singularityp-sk4-registry-create-regkeycreate ↳sentinelone-singularityp-sk4-registry-delete-regvaluedelete ↳sentinelone-singularityp-sk4-registry-delete-regvaluedelete-1 ↳sentinelone-singularityp-sk4-registry-delete-regkeydelete ↳sentinelone-singularityp-json-driver-load-success-driverload authentication-successful ↳sentinelone-singularityp-sk4-process-close-success-processtermination-1 ↳sentinelone-singularityp-mix-process-close-processexit ↳sentinelone-singularityp-sk4-process-close-success-processtermination ↳sentinelone-singularityp-sk4-process-close-processexit remote-logon ↳sentinelone-singularityp-sk4-scheduled-task-start-success-schedtaskstart ↳sentinelone-singularityp-sk4-scheduled-task-start-schedtasktrigger ↳sentinelone-singularityp-cef-scheduled-task-start-schedtasktrigger ↳sentinelone-singularityp-sk4-scheduled-task-start-schedtaskstart ↳sentinelone-singularityp-json-endpoint-login-success-logins web-activity-allowed ↳sentinelone-s-cef-http-session-success-visibility ↳sentinelone-s-cef-http-session-success-visibility-1 ↳sentinelone-singularityp-kv-http-session-success-endpoint ↳sentinelone-singularityp-json-alert-trigger-success-url-1 T1021 - Remote ServicesT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1133 - External Remote Services 38 Rules20 Models Account Manipulation account-creation ↳sentinelone-singularityp-json-alert-trigger-success-indicators app-activity ↳sentinelone-singularityp-kv-app-activity-success-malware ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask process-created ↳sentinelone-singularityp-cef-process-create-success-visibility ↳sentinelone-singularityp-json-process-create-success-processcreation ↳sentinelone-singularityp-cef-process-create-success-processcreation ↳sentinelone-singularityp-cef-process-create-success-scheduledtask ↳sentinelone-singularityp-cef-process-create-success-process ↳sentinelone-singularityp-json-process-create-success-process ↳sentinelone-singularityp-json-process-create-success-process ↳sentinelone-singularityp-json-process-create-success-process T1003 - OS Credential DumpingT1003.003 - T1003.003T1021.003 - T1021.003T1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1136.002 - T1136.002T1218.010 - Signed Binary Proxy Execution: Regsvr32T1531 - Account Access RemovalT1559.002 - T1559.002 36 Rules15 Models Destruction of Data file-delete ↳sentinelone-singularityp-cef-file-delete-success-dproc ↳sentinelone-singularityp-cef-file-delete-success-filedeletion ↳sentinelone-singularityp-json-file-delete-success-deletionfile T1070.004 - Indicator Removal on Host: File DeletionT1485 - Data Destruction 1 Rules Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Phishing: Spearphishing LinkExternal Remote ServicesValid AccountsDrive-by CompromiseValid Accounts: Cloud AccountsExploit Public Fasing ApplicationPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingIndicator Removal on Host: File DeletionMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesUse Alternate Authentication Material: Pass the HashIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionValid Accounts: Local AccountsSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPUnused/Unsupported Cloud RegionsSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop ProtocolInternal Spearphishing Screen CaptureEmail CollectionAudio CaptureArchive Collected DataEmail Collection: Email Forwarding Rule Web ServiceProtocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareDynamic ResolutionIngress Tool TransferDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over C2 ChannelExfiltration Over Web Service: Exfiltration to Cloud StorageExfiltration Over Web Service Account Access RemovalData DestructionResource HijackingData Encrypted for ImpactInhibit System Recovery