Vendor: Cisco Product: Cisco Firepower Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 652 183 138 16 55 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access app-activity ↳cisco-fp-str-ssl-start-725001 ↳cisco-fp-kv-vpn-authentication-success-713120 ↳cisco-fp-str-vpn-authentication-113008 ↳cisco-fp-kv-app-authentication-113008 ↳cisco-fp-kv-app-authentication-602101 ↳cisco-fp-str-app-authentication-113009 ↳cisco-fp-kv-app-authentication-success-original ↳cisco-asa-str-app-authentication-113009-1 app-login ↳cisco-fp-str-network-session-302020 audit-log-clear ↳cisco-fp-str-ssl-close-725007 ↳cisco-fp-str-network-notification-302010 ↳cisco-fp-str-app-notification-failover ↳cisco-fp-str-app-notification-737003 ↳cisco-fp-str-app-notification-210007 ↳cisco-fp-str-ssl-traffic-725016 ↳cisco-fp-str-ssl-traffic-725003 ↳cisco-fp-str-app-time-modify-771002 ↳cisco-fp-str-network-notification-success-713257 ↳cisco-fp-str-network-traffic-fail-106023 authentication-failed ↳cisco-fp-str-user-modify-113003 ↳cisco-fp-kv-user-modify-success-109207 ↳cisco-fp-kv-user-delete-success-109210 ↳cisco-fp-kv-vpn-authentication-success-713049 ↳cisco-fp-str-vpn-authentication-success-113011 authentication-successful ↳cisco-fp-str-ip-assign-737034 ↳cisco-fp-str-network-start-success-710002 ↳cisco-fp-kv-network-traffic-fail-313005 ↳cisco-asa-kv-network-session-fail-106010 ↳cisco-fp-str-network-traffic-fail-106015 nac-logon ↳cisco-fp-kv-radius-traffic-success-113004 ↳cisco-firepower-csv-app-activity-30501 ↳cisco-fp-str-app-activity-305011 ↳cisco-firepower-json-app-activity-appactivity ↳cisco-fp-str-app-activity-success-609001 ↳cisco-fp-str-app-activity-ids ↳cisco-fp-str-app-activity-success-609002 vpn-logout ↳cisco-fp-str-vpn-logout-success-602304 web-activity-allowed ↳cisco-fp-kv-http-session-policy ↳cisco-fp-kv-user-create-success-109201 ↳cisco-fp-str-app-authentication-success-750006 ↳cisco-fp-str-app-authentication-success-750007 ↳cisco-fp-kv-app-authentication-success-750001 web-activity-denied ↳cisco-fp-kv-http-session-policy T1021 - Remote ServicesT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1133 - External Remote Services 41 Rules16 Models Account Manipulation app-activity ↳cisco-fp-str-ssl-start-725001 ↳cisco-fp-kv-vpn-authentication-success-713120 ↳cisco-fp-str-vpn-authentication-113008 ↳cisco-fp-kv-app-authentication-113008 ↳cisco-fp-kv-app-authentication-602101 ↳cisco-fp-str-app-authentication-113009 ↳cisco-fp-kv-app-authentication-success-original ↳cisco-asa-str-app-authentication-113009-1 process-created ↳cisco-fp-str-process-create-success-111010 ↳cisco-asa-str-process-create-success-111009 ↳cisco-fp-str-process-create-success-111008 vpn-logout ↳cisco-fp-str-vpn-logout-success-602304 T1003 - OS Credential DumpingT1003.003 - T1003.003T1021.003 - T1021.003T1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1218.010 - Signed Binary Proxy Execution: Regsvr32T1484 - Group Policy ModificationT1531 - Account Access RemovalT1559.002 - T1559.002 24 Rules14 Models Brute Force Attack vpn-logout ↳cisco-fp-str-vpn-logout-success-602304 T1110 - Brute Force 1 Rules1 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Phishing: Spearphishing LinkExternal Remote ServicesValid AccountsDrive-by CompromiseExploit Public Fasing ApplicationPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsBrute ForceSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop ProtocolInternal Spearphishing Screen CaptureEmail CollectionAudio CaptureArchive Collected DataEmail Collection: Email Forwarding Rule Web ServiceProtocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareDynamic ResolutionIngress Tool TransferDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over C2 ChannelExfiltration Over Physical MediumExfiltration Over Web Service: Exfiltration to Cloud StorageExfiltration Over Web Service Account Access RemovalResource HijackingData Encrypted for ImpactInhibit System Recovery