Skip to content

Latest commit

 

History

History
1120 lines (1118 loc) · 800 KB

uc_malware.md

File metadata and controls

1120 lines (1118 loc) · 800 KB

Use Case: Malware

Vendor: AMD

Product MITRE ATT&CK® TTP Content
Pensando TA0011 - TA0011
  • 4 Rules

Vendor: APC

Product MITRE ATT&CK® TTP Content
APC T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: AVI Networks

Product MITRE ATT&CK® TTP Content
Avi Networks Software Load Balancer T1078 - Valid Accounts
  • 1 Rules

Vendor: Absolute

Product MITRE ATT&CK® TTP Content
Absolute DDS T1078 - Valid Accounts
  • 1 Rules

Vendor: Accellion

Product MITRE ATT&CK® TTP Content
Kiteworks T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 4 Models

Vendor: Admin By Request

Product MITRE ATT&CK® TTP Content
Admin By Request TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Airlock

Product MITRE ATT&CK® TTP Content
Airlock Allowlisting T1078 - Valid Accounts
  • 1 Rules
Airlock Security Access Hub T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
TA0011 - TA0011
  • 16 Rules
  • 4 Models

Vendor: Akamai

Product MITRE ATT&CK® TTP Content
Akamai SIEM TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cloud Akamai T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: Amazon

Product MITRE ATT&CK® TTP Content
AWS CloudTrail T1003.002 - T1003.002
T1078 - Valid Accounts
T1204.003 - T1204.003
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
AWS CloudWatch T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
AWS GuardDuty TA0002 - TA0002
  • 4 Rules
  • 2 Models
AWS WAF T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 27 Rules
  • 7 Models
Amazon Route 53 T1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 3 Rules

Vendor: Apache

Product MITRE ATT&CK® TTP Content
Apache T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Apache Subversion T1078 - Valid Accounts
  • 1 Rules

Vendor: Arista Networks

Product MITRE ATT&CK® TTP Content
Awake Security TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Armis

Product MITRE ATT&CK® TTP Content
Armis Platform TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Armorblox

Product MITRE ATT&CK® TTP Content
Armorblox T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: AssetView

Product MITRE ATT&CK® TTP Content
AssetView T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models

Vendor: Atlassian

Product MITRE ATT&CK® TTP Content
Atlassian BitBucket T1078 - Valid Accounts
  • 1 Rules

Vendor: Attivo

Product MITRE ATT&CK® TTP Content
BOTsink TA0011 - TA0011
  • 3 Rules

Vendor: Auth0

Product MITRE ATT&CK® TTP Content
Auth0 T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Avaya

Product MITRE ATT&CK® TTP Content
Avaya Ethernet Routing Switch T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Axway

Product MITRE ATT&CK® TTP Content
Axway Gateway T1078 - Valid Accounts
  • 1 Rules

Vendor: Azure AD Identity Protection

Product MITRE ATT&CK® TTP Content
Azure AD Identity Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Azure ATP

Product MITRE ATT&CK® TTP Content
Azure ATP TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Azure Monitor

Product MITRE ATT&CK® TTP Content
Azure Monitor T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Banyan Security

Product MITRE ATT&CK® TTP Content
Banyan Security T1078 - Valid Accounts
  • 1 Rules

Vendor: Barracuda

Product MITRE ATT&CK® TTP Content
Barracuda Cloudgen Firewall T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0002 - TA0002
TA0011 - TA0011
  • 10 Rules
  • 2 Models
Barracuda Email Security Gateway T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Barracuda WAF T1078 - Valid Accounts
  • 1 Rules

Vendor: BeyondTrust

Product MITRE ATT&CK® TTP Content
BeyondInsight T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
BeyondTrust T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
BeyondTrust Privileged Identity T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
BeyondTrust Secure Remote Access T1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: Bitdefender

Product MITRE ATT&CK® TTP Content
GravityZone T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Bitglass

Product MITRE ATT&CK® TTP Content
Bitglass CASB T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: BlackBerry

Product MITRE ATT&CK® TTP Content
BlackBerry Protect TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: BlueCat Networks

Product MITRE ATT&CK® TTP Content
BlueCat Networks T1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 3 Rules

Vendor: Box

Product MITRE ATT&CK® TTP Content
Box Cloud Content Management T1078 - Valid Accounts
  • 1 Rules

Vendor: Broadcom

Product MITRE ATT&CK® TTP Content
z/OS TA0011 - TA0011
  • 3 Rules

Vendor: CA Technologies

Product MITRE ATT&CK® TTP Content
CA Privileged Access Manager Server Control T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: CDS

Product MITRE ATT&CK® TTP Content
CDS T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Unix TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: CHCOM

Product MITRE ATT&CK® TTP Content
CHCOM T1078 - Valid Accounts
  • 1 Rules

Vendor: CatoNetworks

Product MITRE ATT&CK® TTP Content
Cato Cloud TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Check Point

Product MITRE ATT&CK® TTP Content
Check Point Anti-Malware T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Check Point Avanan T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Check Point Endpoint Security T1078 - Valid Accounts
  • 1 Rules
Check Point Identity Awareness T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Check Point NGFW T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 36 Rules
  • 9 Models
Check Point Security Gateway T1078 - Valid Accounts
  • 1 Rules
Check Point Threat Emulation T1078 - Valid Accounts
  • 1 Rules
SmartDefense TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cisco ACS

Product MITRE ATT&CK® TTP Content
Cisco ACS T1078 - Valid Accounts
  • 1 Rules

Vendor: Cisco Unified Communications Manager

Product MITRE ATT&CK® TTP Content
Cisco Unified Communications Manager T1078 - Valid Accounts
  • 1 Rules

Vendor: Cisco

Product MITRE ATT&CK® TTP Content
Airespace Wireless LAN Controller TA0002 - TA0002
  • 4 Rules
  • 2 Models
AnyConnect T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
Cisco T1078 - Valid Accounts
  • 1 Rules
Cisco ACI T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
Cisco ACS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 248 Rules
  • 34 Models
Cisco Adaptive Security Appliance T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 280 Rules
  • 41 Models
Cisco Cloud Web Security T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Cisco Cognitive Threat Analytics TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco DHCP T1078 - Valid Accounts
  • 1 Rules
Cisco Firepower T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 281 Rules
  • 41 Models
Cisco IOS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 250 Rules
  • 34 Models
Cisco ISE T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Cisco Meraki MX appliance T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 27 Rules
  • 7 Models
Cisco Netflow TA0011 - TA0011
  • 3 Rules
Cisco PIX TA0011 - TA0011
  • 4 Rules
Cisco Secure Cloud Analytics TA0011 - TA0011
  • 3 Rules
Cisco Secure Email T1190 - Exploit Public Fasing Application
  • 1 Rules
Cisco Secure Endpoint T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Cisco Secure Network Analytics TA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models
Cisco Secure Web Appliance T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Cisco SourceFire T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Cisco Umbrella T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 28 Rules
  • 7 Models
Cisco Unified Communications Manager T1078 - Valid Accounts
  • 1 Rules
Duo Access T1078 - Valid Accounts
  • 1 Rules
IronPort Email T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Citrix

Product MITRE ATT&CK® TTP Content
Citrix Gateway T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 251 Rules
  • 34 Models
Citrix ShareFile T1078 - Valid Accounts
  • 1 Rules
Citrix Virtual Apps T1078 - Valid Accounts
  • 1 Rules
Citrix Web App Firewall T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules

Vendor: Claroty

Product MITRE ATT&CK® TTP Content
CTD T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Claroty TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Clearsense

Product MITRE ATT&CK® TTP Content
Clearsense T1078 - Valid Accounts
  • 1 Rules

Vendor: Click Studios

Product MITRE ATT&CK® TTP Content
Passwordstate T1078 - Valid Accounts
  • 1 Rules

Vendor: Cloudflare

Product MITRE ATT&CK® TTP Content
Cloudflare CDN TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cloudflare Insights T1078 - Valid Accounts
  • 1 Rules
Cloudflare WAF T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 35 Rules
  • 9 Models

Vendor: Code42

Product MITRE ATT&CK® TTP Content
Code42 Incydr T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models

Vendor: Cofense

Product MITRE ATT&CK® TTP Content
Cofense Phishme TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cohesity

Product MITRE ATT&CK® TTP Content
Cohesity DataPlatform T1078 - Valid Accounts
  • 1 Rules

Vendor: CrowdStrike

Product MITRE ATT&CK® TTP Content
Falcon T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 266 Rules
  • 37 Models

Vendor: CyberArk

Product MITRE ATT&CK® TTP Content
Cyberark Endpoint Protection Manager T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Cyberark Privilege Access Management T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 16 Rules
  • 5 Models

Vendor: Cybereason

Product MITRE ATT&CK® TTP Content
Cybereason TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cylance

Product MITRE ATT&CK® TTP Content
Cylance PROTECT T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Damballa

Product MITRE ATT&CK® TTP Content
Damballa Failsafe TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Darktrace

Product MITRE ATT&CK® TTP Content
Darktrace T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Delinea

Product MITRE ATT&CK® TTP Content
Centrify Authentication Service T1078 - Valid Accounts
  • 1 Rules
Centrify Infrastructure Services T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 248 Rules
  • 34 Models
Centrify Zero Trust Privilege Services T1078 - Valid Accounts
  • 1 Rules
Thycotic Software Secret Server T1078 - Valid Accounts
  • 1 Rules

Vendor: Dell

Product MITRE ATT&CK® TTP Content
EMC Isilon T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models
One Identity Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models
RSA Authentication Manager T1078 - Valid Accounts
  • 1 Rules
Sonicwall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 40 Rules
  • 9 Models

Vendor: Digital Guardian

Product MITRE ATT&CK® TTP Content
Digital Guardian Endpoint Protection T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 261 Rules
  • 36 Models
Digital Guardian Network DLP T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Dropbox

Product MITRE ATT&CK® TTP Content
Dropbox T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Dtex Systems

Product MITRE ATT&CK® TTP Content
DTEX InTERCEPT T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 273 Rules
  • 41 Models

Vendor: Duo Access

Product MITRE ATT&CK® TTP Content
Duo Access T1078 - Valid Accounts
  • 1 Rules

Vendor: ESET

Product MITRE ATT&CK® TTP Content
ESET Endpoint Security T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: ESector

Product MITRE ATT&CK® TTP Content
ESector DEFESA Logger T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Endgame

Product MITRE ATT&CK® TTP Content
Endgame EDR TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Entrust

Product MITRE ATT&CK® TTP Content
Entrust Identity Enterprise T1078 - Valid Accounts
  • 1 Rules

Vendor: Envoy

Product MITRE ATT&CK® TTP Content
Envoy T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: Epic

Product MITRE ATT&CK® TTP Content
Epic SIEM T1078 - Valid Accounts
  • 1 Rules

Vendor: Event Viewer - Security

Product MITRE ATT&CK® TTP Content
Event Viewer - Security T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Exabeam

Product MITRE ATT&CK® TTP Content
Advanced Analytics TA0002 - TA0002
  • 4 Rules
  • 2 Models
Audit Log T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models
Correlation Rule TA0002 - TA0002
  • 4 Rules
  • 2 Models
Search T1078 - Valid Accounts
  • 1 Rules

Vendor: Extrahop

Product MITRE ATT&CK® TTP Content
Extrahop Reveal(x) TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Extreme Networks

Product MITRE ATT&CK® TTP Content
ExtremeCloud IQ T1078 - Valid Accounts
  • 1 Rules
Zebra WLAN Management T1078 - Valid Accounts
  • 1 Rules

Vendor: F-Secure

Product MITRE ATT&CK® TTP Content
F-Secure Policy Manager T1078 - Valid Accounts
  • 1 Rules

Vendor: F5

Product MITRE ATT&CK® TTP Content
BIG-IP F5 LBR TA0002 - TA0002
  • 4 Rules
  • 2 Models
F5 Access Policy Manager T1078 - Valid Accounts
  • 1 Rules
F5 Advanced Firewall Manager TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
F5 Advanced Web Application Firewall T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 253 Rules
  • 34 Models
F5 Application Security Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models
F5 BIG-IP T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0011 - TA0011
  • 4 Rules
F5 BIG-IP DNS T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 4 Rules
F5 Local Traffic Manager TA0011 - TA0011
  • 3 Rules
F5 Silverline TA0002 - TA0002
TA0011 - TA0011
  • 6 Rules
  • 2 Models

Vendor: FTP

Product MITRE ATT&CK® TTP Content
FTP T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: FileAuditor

Product MITRE ATT&CK® TTP Content
FileAuditor T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: FireEye

Product MITRE ATT&CK® TTP Content
FireEye CMS TA0002 - TA0002
  • 4 Rules
  • 2 Models
FireEye ETP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
FireEye Endpoint Security (HX) TA0002 - TA0002
  • 4 Rules
  • 2 Models
FireEye Web MPS TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Forcepoint Next-Gen Firewall

Product MITRE ATT&CK® TTP Content
Forcepoint Next-Gen Firewall TA0011 - TA0011
  • 3 Rules

Vendor: Forcepoint

Product MITRE ATT&CK® TTP Content
Forcepoint DLP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Forcepoint Email Security T1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Email Security Gateway T1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Next-Gen Firewall T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Websense Security Gateway T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: Forescout

Product MITRE ATT&CK® TTP Content
Forescout CounterACT T1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models

Vendor: Fortinet

Product MITRE ATT&CK® TTP Content
EnSilo TA0002 - TA0002
  • 4 Rules
  • 2 Models
FortiGate T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models
Fortinet Enterprise Firewall TA0011 - TA0011
  • 4 Rules
Fortinet UTM T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 31 Rules
  • 9 Models
Fortinet VPN T1078 - Valid Accounts
  • 1 Rules
Fortiweb Web Application Firewall T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: GTB

Product MITRE ATT&CK® TTP Content
GTB Technologies DLP T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Gamma

Product MITRE ATT&CK® TTP Content
Gamma TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: GitHub

Product MITRE ATT&CK® TTP Content
GitHub T1078 - Valid Accounts
  • 1 Rules

Vendor: GoAnywhere

Product MITRE ATT&CK® TTP Content
GoAnywhere MFT T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: Google

Product MITRE ATT&CK® TTP Content
GCP CloudAudit T1078 - Valid Accounts
  • 1 Rules
Google Cloud Platform T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1204.003 - T1204.003
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 41 Rules
  • 13 Models
Google Plus T1078 - Valid Accounts
  • 1 Rules
Google Workspace T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: HP

Product MITRE ATT&CK® TTP Content
Aruba ClearPass Policy Manager T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
Aruba Mobility Master T1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controller T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
ArubaOS T1078 - Valid Accounts
  • 1 Rules
HP iLO T1078 - Valid Accounts
  • 1 Rules
HPE 3PAR StoreServ T1078 - Valid Accounts
  • 1 Rules
HPE Comware T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 255 Rules
  • 36 Models
NonStop T1078 - Valid Accounts
  • 1 Rules

Vendor: HashiCorp

Product MITRE ATT&CK® TTP Content
HashiCorp Vault T1078 - Valid Accounts
  • 1 Rules

Vendor: HelpSystems

Product MITRE ATT&CK® TTP Content
Powertech Identity and Access Manager T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 248 Rules
  • 34 Models

Vendor: Hornet

Product MITRE ATT&CK® TTP Content
Hornetsecurity Cloud Email Security Services T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Huawei

Product MITRE ATT&CK® TTP Content
Huawei Enterprise Network Firewall TA0011 - TA0011
  • 4 Rules
Huawei Unified Security Gateway T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 252 Rules
  • 34 Models

Vendor: IBM

Product MITRE ATT&CK® TTP Content
HCL Notes T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
TA0011 - TA0011
  • 15 Rules
  • 4 Models
IBM Mainframe T1078 - Valid Accounts
  • 1 Rules
IBM Resource Access Control Facility T1078 - Valid Accounts
  • 1 Rules
IBM Sense TA0002 - TA0002
  • 4 Rules
  • 2 Models
Proventia Network IPS T1078 - Valid Accounts
  • 1 Rules
Sterling B2B Integrator T1078 - Valid Accounts
  • 1 Rules

Vendor: IMSS

Product MITRE ATT&CK® TTP Content
IMSS TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: IMSVA

Product MITRE ATT&CK® TTP Content
IMSVA T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: IPTables

Product MITRE ATT&CK® TTP Content
IPTables FW TA0011 - TA0011
  • 4 Rules

Vendor: Illumio

Product MITRE ATT&CK® TTP Content
Illumio Core TA0011 - TA0011
  • 4 Rules

Vendor: Imperva

Product MITRE ATT&CK® TTP Content
Imperva Incapsula T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 27 Rules
  • 7 Models
Imperva SecureSphere T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Imprivata

Product MITRE ATT&CK® TTP Content
Imprivata T1078 - Valid Accounts
  • 1 Rules

Vendor: InfoWatch

Product MITRE ATT&CK® TTP Content
InfoWatch DLP T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 36 Rules
  • 11 Models

Vendor: Infoblox

Product MITRE ATT&CK® TTP Content
BloxOne DDI T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
  • 17 Rules
  • 4 Models
Infoblox NIOS T1078 - Valid Accounts
  • 1 Rules

Vendor: Inky

Product MITRE ATT&CK® TTP Content
Inky Anti-Phishing TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Ipswitch

Product MITRE ATT&CK® TTP Content
MoveIt Transfer T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 4 Models

Vendor: IronNet

Product MITRE ATT&CK® TTP Content
IronDefense TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Ivanti

Product MITRE ATT&CK® TTP Content
Ivanti Pulse Secure T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models

Vendor: Juniper Networks

Product MITRE ATT&CK® TTP Content
Juniper Advanced Threat Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Juniper SRX Series T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Junos OS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 248 Rules
  • 34 Models

Vendor: Kasada

Product MITRE ATT&CK® TTP Content
Kasada T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: Kaspersky

Product MITRE ATT&CK® TTP Content
Kaspersky AV TA0002 - TA0002
  • 4 Rules
  • 2 Models
Kaspersky Endpoint Security for Business T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Kemp

Product MITRE ATT&CK® TTP Content
Kemp LoadMaster T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Kiteworks

Product MITRE ATT&CK® TTP Content
Kiteworks T1078 - Valid Accounts
  • 1 Rules

Vendor: LanScope

Product MITRE ATT&CK® TTP Content
LanScope Cat T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 285 Rules
  • 44 Models

Vendor: LastPass

Product MITRE ATT&CK® TTP Content
LastPass T1078 - Valid Accounts
  • 1 Rules

Vendor: Lenel

Product MITRE ATT&CK® TTP Content
OnGuard T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: LiquidFiles

Product MITRE ATT&CK® TTP Content
LiquidFiles T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: LogRhythm

Product MITRE ATT&CK® TTP Content
LogRhythm T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0011 - TA0011
  • 5 Rules

Vendor: Lumension

Product MITRE ATT&CK® TTP Content
Lumension T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Magento

Product MITRE ATT&CK® TTP Content
Magento WAF T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models

Vendor: Malwarebytes

Product MITRE ATT&CK® TTP Content
Malwarebytes Endpoint Detection and Response TA0002 - TA0002
  • 4 Rules
  • 2 Models
Malwarebytes Endpoint Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Malwarebytes Incident Response TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: ManageEngine

Product MITRE ATT&CK® TTP Content
ADAuditPlus T1078 - Valid Accounts
  • 1 Rules
ADManager Plus T1078 - Valid Accounts
  • 1 Rules
ADSSP T1078 - Valid Accounts
  • 1 Rules

Vendor: MasterSAM

Product MITRE ATT&CK® TTP Content
CA Privileged Access Manager Server Control T1078 - Valid Accounts
  • 1 Rules
MasterSAM PAM T1078 - Valid Accounts
  • 1 Rules

Vendor: McAfee

Product MITRE ATT&CK® TTP Content
Advanced Threat Defense TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Application Control TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee DAM TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee DLP Endpoint T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models
McAfee DLP Prevent T1190 - Exploit Public Fasing Application
  • 1 Rules
McAfee Email Protection T1190 - Exploit Public Fasing Application
  • 1 Rules
McAfee Endpoint Security T1003.002 - T1003.002
T1047 - Windows Management Instrumentation
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1190 - Exploit Public Fasing Application
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 22 Rules
  • 6 Models
McAfee Enterprise Security Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Network Security Platform T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
McAfee SiteAdvisor TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Web Gateway T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
McAfee ePolicy Orchestrator T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Skyhigh Networks CASB T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Microsoft CAS

Product MITRE ATT&CK® TTP Content
Microsoft CAS TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Microsoft Defender for Endpoint

Product MITRE ATT&CK® TTP Content
Microsoft Defender for Endpoint TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Microsoft

Product MITRE ATT&CK® TTP Content
Active Directory Federation Services T1078 - Valid Accounts
  • 1 Rules
Azure T1078 - Valid Accounts
  • 1 Rules
Azure AD Activity Logs T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 4 Rules
Azure AD Identity Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Azure AD Sign-In Logs T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
Azure ATP TA0002 - TA0002
  • 4 Rules
  • 2 Models
Azure Event Hub TA0002 - TA0002
  • 4 Rules
  • 2 Models
Azure MFA T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
Azure Monitor T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1204.003 - T1204.003
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 43 Rules
  • 13 Models
Azure Monitor - VM Insights T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 248 Rules
  • 34 Models
Azure Sentinel TA0002 - TA0002
  • 4 Rules
  • 2 Models
Event Viewer - ADFS T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Event Viewer - Application T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
Event Viewer - Applocker T1078 - Valid Accounts
  • 1 Rules
Event Viewer - AzureADPasswordProtection-DCAgent T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1546.003 - T1546.003
TA0002 - TA0002
  • 4 Rules
Event Viewer - DFS-Replication T1078 - Valid Accounts
  • 1 Rules
Event Viewer - DNSServer T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 250 Rules
  • 34 Models
Event Viewer - NPS T1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLM T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
Event Viewer - PowerShell T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
Event Viewer - Security T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 299 Rules
  • 54 Models
Event Viewer - System T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 280 Rules
  • 49 Models
Event Viewer - TaskScheduler T1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-Gateway T1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-LocalSessionManager T1078 - Valid Accounts
  • 1 Rules
M365 Audit Logs T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
MSSQL T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Microsoft T1003.002 - T1003.002
T1036 - Masquerading
T1059.001 - Command and Scripting Interperter: PowerShell
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1547.001 - T1547.001
T1569.002 - T1569.002
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 43 Rules
  • 21 Models
Microsoft 365 T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 259 Rules
  • 37 Models
Microsoft Advanced Threat Analytics T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Microsoft CAS T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Microsoft DHCP Log T1078 - Valid Accounts
  • 1 Rules
Microsoft DNS Log T1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 5 Rules
Microsoft Defender for Cloud TA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft Defender for Endpoint T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 272 Rules
  • 43 Models
Microsoft Exchange T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Microsoft IIS T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Microsoft Network Policy Server T1078 - Valid Accounts
  • 1 Rules
Microsoft RRAS T1078 - Valid Accounts
  • 1 Rules
Microsoft WMI Log T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 248 Rules
  • 34 Models
Network Security Group Flow Logs TA0011 - TA0011
  • 4 Rules
Sysmon T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 271 Rules
  • 39 Models
Windows T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Windows Defender Application Control T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Mimecast

Product MITRE ATT&CK® TTP Content
Mimecast Secure Email Gateway T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Mimecast Targeted Threat Protection - URL T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: MobileIron

Product MITRE ATT&CK® TTP Content
MobileIron TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: MuleSoft

Product MITRE ATT&CK® TTP Content
MuleSoft Anypoint Platform T1078 - Valid Accounts
  • 1 Rules

Vendor: Mvision

Product MITRE ATT&CK® TTP Content
Mvision TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: NNT

Product MITRE ATT&CK® TTP Content
NNT ChangeTracker T1078 - Valid Accounts
  • 1 Rules

Vendor: Nagios

Product MITRE ATT&CK® TTP Content
Nagios T1078 - Valid Accounts
  • 1 Rules

Vendor: Nasuni

Product MITRE ATT&CK® TTP Content
Nasuni T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: NetApp

Product MITRE ATT&CK® TTP Content
NetApp T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: NetIQ

Product MITRE ATT&CK® TTP Content
Micro Focus NetIQ Identity Manager T1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

Product MITRE ATT&CK® TTP Content
Netskope IoT Security TA0002 - TA0002
  • 4 Rules
  • 2 Models
Netskope Security Cloud T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 45 Rules
  • 12 Models

Vendor: Netwrix

Product MITRE ATT&CK® TTP Content
Netwrix Auditor T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: NextDLP

Product MITRE ATT&CK® TTP Content
NextDLP T1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Reveal T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 38 Rules
  • 12 Models

Vendor: Novell

Product MITRE ATT&CK® TTP Content
eDirectory TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nozomi Networks

Product MITRE ATT&CK® TTP Content
Nozomi Networks Guardian TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nutanix

Product MITRE ATT&CK® TTP Content
Nutanix Unified Storage T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: OSSEC

Product MITRE ATT&CK® TTP Content
OSSEC T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Okta

Product MITRE ATT&CK® TTP Content
Okta Adaptive MFA T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Onapsis

Product MITRE ATT&CK® TTP Content
Onapsis TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: OneLogin

Product MITRE ATT&CK® TTP Content
OneLogin T1078 - Valid Accounts
  • 1 Rules

Vendor: OneSpan

Product MITRE ATT&CK® TTP Content
Digipass for Apps T1078 - Valid Accounts
  • 1 Rules

Vendor: OneWelcome

Product MITRE ATT&CK® TTP Content
OneWelcome Cloud Identity Platform T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Open Shift

Product MITRE ATT&CK® TTP Content
OpenShift T1078 - Valid Accounts
  • 1 Rules

Vendor: Open VPN

Product MITRE ATT&CK® TTP Content
Open VPN T1078 - Valid Accounts
  • 1 Rules

Vendor: OpenDJ

Product MITRE ATT&CK® TTP Content
OpenDJ T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: Oracle

Product MITRE ATT&CK® TTP Content
Oracle Access Management T1078 - Valid Accounts
  • 1 Rules
Oracle Database T1078 - Valid Accounts
  • 1 Rules
Oracle Public Cloud T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules

Vendor: Osquery

Product MITRE ATT&CK® TTP Content
Osquery T1078 - Valid Accounts
  • 1 Rules

Vendor: Palo Alto Networks

Product MITRE ATT&CK® TTP Content
Cortex XDR T1078 - Valid Accounts
  • 1 Rules
GlobalProtect T1078 - Valid Accounts
  • 1 Rules
Palo Alto Aperture TA0002 - TA0002
  • 4 Rules
  • 2 Models
Palo Alto NGFW T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 41 Rules
  • 9 Models
Palo Alto Networks TA0011 - TA0011
  • 4 Rules
Palo Alto WildFire T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Panorama T1078 - Valid Accounts
  • 1 Rules
Prisma Cloud T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Traps Endpoint Security Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Password Manager Pro

Product MITRE ATT&CK® TTP Content
Password Manager Pro T1078 - Valid Accounts
  • 1 Rules

Vendor: Ping Identity

Product MITRE ATT&CK® TTP Content
Ping Identity T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
PingOne T1078 - Valid Accounts
  • 1 Rules

Vendor: Postfix

Product MITRE ATT&CK® TTP Content
Postfix T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Progress

Product MITRE ATT&CK® TTP Content
Progress Database T1078 - Valid Accounts
  • 1 Rules

Vendor: Proofpoint

Product MITRE ATT&CK® TTP Content
ObserveIT T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
Proofpoint Email Protection T1190 - Exploit Public Fasing Application
  • 1 Rules
Proofpoint Enterprise Protection T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Targeted Attack Platform T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: QUSH

Product MITRE ATT&CK® TTP Content
Reveal T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 38 Rules
  • 12 Models

Vendor: Quest Software

Product MITRE ATT&CK® TTP Content
Quest Change Auditor for Active Directory T1078 - Valid Accounts
  • 1 Rules

Vendor: RSA

Product MITRE ATT&CK® TTP Content
RSA Adaptive Authentication T1078 - Valid Accounts
  • 1 Rules
RSA Authentication Manager T1078 - Valid Accounts
  • 1 Rules
RSA DLP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
RSA ECAT TA0002 - TA0002
  • 4 Rules
  • 2 Models
RSA NetWitness Platform T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules

Vendor: RStudio

Product MITRE ATT&CK® TTP Content
RStudio Server T1078 - Valid Accounts
  • 1 Rules

Vendor: Radware

Product MITRE ATT&CK® TTP Content
Radware WAF TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Rapid7

Product MITRE ATT&CK® TTP Content
Rapid7 InsightVM TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: RightCrowd

Product MITRE ATT&CK® TTP Content
RightCrowd T1078 - Valid Accounts
  • 1 Rules

Vendor: Rubrik

Product MITRE ATT&CK® TTP Content
Rubrik Cloud Data Management T1078 - Valid Accounts
  • 1 Rules

Vendor: Ruckus

Product MITRE ATT&CK® TTP Content
Ruckus T1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: SAP

Product MITRE ATT&CK® TTP Content
SAP T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
TA0011 - TA0011
  • 16 Rules
  • 4 Models
SuccessFactors T1078 - Valid Accounts
  • 1 Rules

Vendor: SIGSCI

Product MITRE ATT&CK® TTP Content
SIGSCI T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 27 Rules
  • 7 Models

Vendor: SafeSend

Product MITRE ATT&CK® TTP Content
SafeSend T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Safend

Product MITRE ATT&CK® TTP Content
Data Protection Suite (DPS) T1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models

Vendor: Safenet

Product MITRE ATT&CK® TTP Content
Thales T1078 - Valid Accounts
  • 1 Rules

Vendor: Sailpoint

Product MITRE ATT&CK® TTP Content
IdentityNow T1078 - Valid Accounts
  • 1 Rules

Vendor: Salesforce

Product MITRE ATT&CK® TTP Content
Salesforce T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Sangfor

Product MITRE ATT&CK® TTP Content
Sangfor NGAF TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: SecurEnvoy

Product MITRE ATT&CK® TTP Content
SecureEnvoy Multi-Factor Authentication T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

Product MITRE ATT&CK® TTP Content
SecureAuth IDP T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
SecureAuth Login T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureLink

Product MITRE ATT&CK® TTP Content
SecureLink T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureNet

Product MITRE ATT&CK® TTP Content
SecureNet T1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

Product MITRE ATT&CK® TTP Content
Semperis DSP T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: SentinelOne

Product MITRE ATT&CK® TTP Content
Singularity Platform T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 296 Rules
  • 46 Models
Vigilance T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: ServiceNow

Product MITRE ATT&CK® TTP Content
ServiceNow T1078 - Valid Accounts
  • 1 Rules

Vendor: Shibboleth

Product MITRE ATT&CK® TTP Content
Shibboleth T1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

Product MITRE ATT&CK® TTP Content
Silverfort Authentication Platform T1078 - Valid Accounts
  • 1 Rules

Vendor: SiteMinder

Product MITRE ATT&CK® TTP Content
Symantec SiteMinder T1078 - Valid Accounts
  • 1 Rules

Vendor: SiteSpect

Product MITRE ATT&CK® TTP Content
SiteSpect T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models

Vendor: SkySea

Product MITRE ATT&CK® TTP Content
SkySea ClientView T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 285 Rules
  • 44 Models

Vendor: Skyformation

Product MITRE ATT&CK® TTP Content
Skyformation T1078 - Valid Accounts
  • 1 Rules

Vendor: Snort

Product MITRE ATT&CK® TTP Content
Snort TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Sophos

Product MITRE ATT&CK® TTP Content
Sophos Endpoint Protection T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 40 Rules
  • 12 Models
Sophos UTM T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models
Sophos XG Firewall T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules

Vendor: Splunk

Product MITRE ATT&CK® TTP Content
Splunk ES T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules

Vendor: Squid

Product MITRE ATT&CK® TTP Content
Squid T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models

Vendor: StealthBits

Product MITRE ATT&CK® TTP Content
StealthBits Stealth Defend TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: SunOne

Product MITRE ATT&CK® TTP Content
SunOne T1078 - Valid Accounts
  • 1 Rules

Vendor: Suricata

Product MITRE ATT&CK® TTP Content
Suricata TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Swivel

Product MITRE ATT&CK® TTP Content
Swivel T1078 - Valid Accounts
  • 1 Rules

Vendor: Symantec

Product MITRE ATT&CK® TTP Content
Symantec Advanced Threat Protection T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 268 Rules
  • 39 Models
Symantec CloudSOC TA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec Content Analysis System TA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec Critical System Protection T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec DLP T1003.002 - T1003.002
T1190 - Exploit Public Fasing Application
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Symantec Email Security T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Endpoint Protection T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
TA0011 - TA0011
  • 18 Rules
  • 5 Models
Symantec Managed Security Services TA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec VIP T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
Symantec Web Security Service T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 28 Rules
  • 7 Models

Vendor: Sysdig

Product MITRE ATT&CK® TTP Content
Sysdig Monitor TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tanium Core Platform

Product MITRE ATT&CK® TTP Content
Tanium Core Platform T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Tanium

Product MITRE ATT&CK® TTP Content
Tanium Cloud Platform T1078 - Valid Accounts
  • 1 Rules
Tanium Core Platform T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
Tanium Integrity Monitor T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 259 Rules
  • 36 Models

Vendor: Tenable.io

Product MITRE ATT&CK® TTP Content
Tenable.io TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Thales Group

Product MITRE ATT&CK® TTP Content
Gemalto MFA T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: ThreatBlockr

Product MITRE ATT&CK® TTP Content
ThreatBlockr T1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 6 Rules

Vendor: Trend Micro

Product MITRE ATT&CK® TTP Content
Deep Discovery Inspector T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Deep Security T1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 9 Rules
  • 2 Models
OfficeScan T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 42 Rules
  • 12 Models
TippingPoint NGIPS TA0002 - TA0002
  • 4 Rules
  • 2 Models
Trend Micro T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models
Trend Micro InterScan Web Security T1078 - Valid Accounts
  • 1 Rules
Trend Micro ScanMail TA0002 - TA0002
  • 4 Rules
  • 2 Models
Vision One TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tripwire Enterprise

Product MITRE ATT&CK® TTP Content
Tripwire Enterprise TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tyco

Product MITRE ATT&CK® TTP Content
CCURE Building Management System T1078 - Valid Accounts
  • 1 Rules

Vendor: Ubiquiti

Product MITRE ATT&CK® TTP Content
Unifi Access Point T1078 - Valid Accounts
  • 1 Rules

Vendor: Unix

Product MITRE ATT&CK® TTP Content
Auditbeat T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 259 Rules
  • 36 Models
Unix T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 262 Rules
  • 37 Models
Unix Auditd T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 250 Rules
  • 34 Models
Unix Named T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 6 Rules
Unix Privilege Management TA0002 - TA0002
  • 4 Rules
  • 2 Models
Unix Sendmail T1190 - Exploit Public Fasing Application
  • 1 Rules
Unix dhcpd T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
rsyslog TA0011 - TA0011
  • 2 Rules

Vendor: VBCorp

Product MITRE ATT&CK® TTP Content
VBCorp TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: VMware

Product MITRE ATT&CK® TTP Content
Carbon Black App Control T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 249 Rules
  • 34 Models
Carbon Black CES T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 265 Rules
  • 39 Models
Carbon Black EDR T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 260 Rules
  • 36 Models
NSX Distributed Firewall TA0011 - TA0011
  • 4 Rules
VMware AirWatch T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 6 Rules
  • 2 Models
VMware ESXi T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 27 Rules
  • 7 Models
VMware Horizon T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
VMware NSX T1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
VMware View T1078 - Valid Accounts
  • 1 Rules

Vendor: Varonis

Product MITRE ATT&CK® TTP Content
Varonis Data Security Platform TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Vectra

Product MITRE ATT&CK® TTP Content
Vectra Cognito Detect TA0002 - TA0002
  • 4 Rules
  • 2 Models
Vectra Cognito Stream T1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 42 Rules
  • 11 Models

Vendor: Verizon

Product MITRE ATT&CK® TTP Content
Verizon NDR TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: ViaScope

Product MITRE ATT&CK® TTP Content
ViaScope IPScan T1078 - Valid Accounts
  • 1 Rules

Vendor: Virtru

Product MITRE ATT&CK® TTP Content
Virtru TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Vormetric

Product MITRE ATT&CK® TTP Content
Vormetric T1078 - Valid Accounts
  • 1 Rules

Vendor: Wazuh

Product MITRE ATT&CK® TTP Content
Wazuh T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: Wiz

Product MITRE ATT&CK® TTP Content
Wiz T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Workday

Product MITRE ATT&CK® TTP Content
Workday T1078 - Valid Accounts
  • 1 Rules

Vendor: Xceedium

Product MITRE ATT&CK® TTP Content
Xceedium T1078 - Valid Accounts
  • 1 Rules

Vendor: Xiting

Product MITRE ATT&CK® TTP Content
XAMS T1078 - Valid Accounts
  • 1 Rules

Vendor: Zeek

Product MITRE ATT&CK® TTP Content
Zeek T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 54 Rules
  • 12 Models

Vendor: Zendesk

Product MITRE ATT&CK® TTP Content
Zendesk T1078 - Valid Accounts
  • 1 Rules

Vendor: Zimperium

Product MITRE ATT&CK® TTP Content
Zimperium MTD TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Zscaler

Product MITRE ATT&CK® TTP Content
Zscaler Internet Access T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 35 Rules
  • 9 Models
Zscaler Private Access T1078 - Valid Accounts
  • 1 Rules

Vendor: hMail

Product MITRE ATT&CK® TTP Content
hMailServer T1078 - Valid Accounts
  • 1 Rules

Vendor: iManage

Product MITRE ATT&CK® TTP Content
iManage T1078 - Valid Accounts
  • 1 Rules

Vendor: oVirt

Product MITRE ATT&CK® TTP Content
oVirt T1078 - Valid Accounts
  • 1 Rules

Vendor: pfSense

Product MITRE ATT&CK® TTP Content
pfSense TA0011 - TA0011
  • 4 Rules