Skip to content

Latest commit

 

History

History
24 lines (22 loc) · 18.6 KB

ds_cisco_duo_access.md

File metadata and controls

24 lines (22 loc) · 18.6 KB

Vendor: Cisco

Product: Duo Access

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
181 68 25 11 26
Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access account-creation
cisco-duo-json-user-create-success-usercreate
cisco-duo-json-app-activity-success-api

account-deleted
cisco-duo-json-app-activity-success-api

account-lockout
cisco-duo-str-user-lock-success-adminlockout

account-password-reset
cisco-duo-str-user-password-reset-success-authattempts

app-activity
cisco-duo-sk4-app-activity-success-useradded
cisco-duo-kv-app-activity-success-sendenrollcode
cisco-duo-json-app-activity-success-userpending
cisco-duo-json-app-activity-success-admindelete
cisco-duo-sk4-app-activity-success-app-userupdate
cisco-duo-json-app-activity-success-adminselfactivate
cisco-duo-json-app-activity-success-usercreate-1
cisco-duo-sk4-app-activity-success-admincreate-1
cisco-duo-json-app-activity-success-user
cisco-duo-json-app-activity-success-phoneupdate
cisco-duo-sk4-app-activity-success-useradminupdate
cisco-duo-kv-app-activity-success-userupdate
cisco-duo-json-app-activity-success-adminactivate
cisco-duo-json-app-activity-success-phonecreate
cisco-duo-json-app-activity-success-adminupdate-1
cisco-duo-json-app-activity-success-api
cisco-duo-json-app-activity-success-updateuser

app-login
cisco-duo-kv-app-login-success-adminlogin
cisco-duo-cef-app-login-success-success
cisco-duo-json-app-login-success-adminlogin-1

authentication-failed
cisco-duo-kv-endpoint-authentication-auth
cisco-duo-json-endpoint-authentication-authfailed
cisco-duo-json-endpoint-authentication-ip
cisco-duo-cef-endpoint-authentication-mfaservice
cisco-duo-json-endpoint-authentication-result
cisco-duo-kv-endpoint-authentication-fail-failure

authentication-successful
cisco-duo-kv-endpoint-authentication-auth
cisco-duo-json-endpoint-authentication-authfailed
cisco-duo-json-endpoint-authentication-ip
cisco-duo-cef-endpoint-authentication-mfaservice
cisco-duo-json-endpoint-authentication-result
cisco-duo-kv-endpoint-authentication-success-success

failed-app-login
cisco-duo-kv-app-login-fail-adminloginerror
cisco-duo-csv-app-login-fail-failure

failed-vpn-login
cisco-duo-cef-vpn-login-fail-loginfailure

web-activity-allowed
cisco-duo-str-app-activity-success-activationcomplete
cisco-duo-str-app-activity-success-passwordset
cisco-duo-str-app-activity-success-activationsendemail
 T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 23 Rules
  • 11 Models
Account Manipulation account-creation
cisco-duo-json-user-create-success-usercreate
cisco-duo-json-app-activity-success-api

account-deleted
cisco-duo-json-app-activity-success-api

account-password-reset
cisco-duo-str-user-password-reset-success-authattempts

app-activity
cisco-duo-sk4-app-activity-success-useradded
cisco-duo-kv-app-activity-success-sendenrollcode
cisco-duo-json-app-activity-success-userpending
cisco-duo-json-app-activity-success-admindelete
cisco-duo-sk4-app-activity-success-app-userupdate
cisco-duo-json-app-activity-success-adminselfactivate
cisco-duo-json-app-activity-success-usercreate-1
cisco-duo-sk4-app-activity-success-admincreate-1
cisco-duo-json-app-activity-success-user
cisco-duo-json-app-activity-success-phoneupdate
cisco-duo-sk4-app-activity-success-useradminupdate
cisco-duo-kv-app-activity-success-userupdate
cisco-duo-json-app-activity-success-adminactivate
cisco-duo-json-app-activity-success-phonecreate
cisco-duo-json-app-activity-success-adminupdate-1
cisco-duo-json-app-activity-success-api
cisco-duo-json-app-activity-success-updateuser
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 34 Rules
  • 14 Models
Brute Force Attack account-lockout
cisco-duo-str-user-lock-success-adminlockout
 T1110 - Brute Force
  • 1 Rules
Cryptomining web-activity-allowed
cisco-duo-str-app-activity-success-activationcomplete
cisco-duo-str-app-activity-success-passwordset
cisco-duo-str-app-activity-success-activationsendemail
 T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 3 Rules
Data Exfiltration web-activity-allowed
cisco-duo-str-app-activity-success-activationcomplete
cisco-duo-str-app-activity-success-passwordset
cisco-duo-str-app-activity-success-activationsendemail
 T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 7 Rules
  • 2 Models
Phishing web-activity-allowed
cisco-duo-str-app-activity-success-activationcomplete
cisco-duo-str-app-activity-success-passwordset
cisco-duo-str-app-activity-success-activationsendemail
 T1189 - Drive-by Compromise
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566.002 - Phishing: Spearphishing Link
T1598.003 - T1598.003
  • 3 Rules
Workforce Protection web-activity-allowed
cisco-duo-str-app-activity-success-activationcomplete
cisco-duo-str-app-activity-success-passwordset
cisco-duo-str-app-activity-success-activationsendemail
 T1071.001 - Application Layer Protocol: Web Protocols
  • 4 Rules
  • 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 User Execution

 Create Account

External Remote Services

Valid Accounts

Account Manipulation

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

 Valid Accounts

 Brute Force

 Internal Spearphishing

 Email Collection

Email Collection: Email Forwarding Rule

 Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over C2 Channel

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Account Access Removal

Resource Hijacking