Skip to content

Latest commit

 

History

History
22 lines (20 loc) · 13.2 KB

ds_symantec_symantec_endpoint_protection.md

File metadata and controls

22 lines (20 loc) · 13.2 KB

Vendor: Symantec

Product: Symantec Endpoint Protection

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
292 111 28 12 34
Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access app-activity
symantec-endpointprotection-kv-app-notification-eventdescription

app-login
symantec-s-sk4-app-activity-auditevent

nac-logon
symantec-endpointprotection-json-app-activity-appactivity-1
symantec-endpointprotection-kv-app-activity-category
symantec-endpointprotection-kv-app-activity-symantecserver
symantec-endpointprotection-json-app-activity-appactivity
 T1021 - Remote Services
T1078 - Valid Accounts
T1133 - External Remote Services
  • 18 Rules
  • 7 Models
Account Manipulation app-activity
symantec-endpointprotection-kv-app-notification-eventdescription
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Data Exfiltration file-alert
symantec-endpointprotection-json-alert-trigger-success-malwareprotection

file-write
symantec-endpointprotection-json-file-write-success-filewrite
 TA0002 - TA0002
  • 2 Rules
  • 1 Models
Data Leak app-activity
symantec-endpointprotection-kv-app-notification-eventdescription

file-write
symantec-endpointprotection-json-file-write-success-filewrite

usb-write
symantec-endpointprotection-csv-file-write-success-fichier
 T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1091 - Replication Through Removable Media
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
  • 19 Rules
  • 4 Models
Privilege Escalation app-activity
symantec-endpointprotection-kv-app-notification-eventdescription
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

Replication Through Removable Media

 Command and Scripting Interperter

Scheduled Task/Job

Command and Scripting Interperter: PowerShell

 External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Scheduled Task/Job

Server Software Component

Boot or Logon Autostart Execution

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

Scheduled Task/Job

Boot or Logon Autostart Execution

 Impair Defenses

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

 OS Credential Dumping

 File and Directory Discovery

 Remote Services

Replication Through Removable Media

 Email Collection

Email Collection: Email Forwarding Rule

 Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over Physical Medium

 Resource Hijacking

Data Encrypted for Impact