Skip to content

Latest commit

 

History

History
402 lines (400 loc) · 314 KB

uc_privilege_escalation.md

File metadata and controls

402 lines (400 loc) · 314 KB

Use Case: Privilege Escalation

Vendor: Absolute

Product MITRE ATT&CK® TTP Content
Absolute SIEM Connector T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Accellion

Product MITRE ATT&CK® TTP Content
Kiteworks T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Airlock

Product MITRE ATT&CK® TTP Content
Airlock Allowlisting T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Amazon

Product MITRE ATT&CK® TTP Content
AWS CloudTrail T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Apache

Product MITRE ATT&CK® TTP Content
Apache Subversion T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Auth0

Product MITRE ATT&CK® TTP Content
Auth0 T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 3 Rules
  • 1 Models

Vendor: Axway

Product MITRE ATT&CK® TTP Content
Axway Gateway T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Barracuda

Product MITRE ATT&CK® TTP Content
Barracuda Cloudgen Firewall T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 3 Rules
  • 1 Models

Vendor: BeyondTrust

Product MITRE ATT&CK® TTP Content
BeyondInsight T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 58 Rules
  • 13 Models
BeyondTrust T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 60 Rules
  • 14 Models
BeyondTrust Privileged Identity T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 13 Rules
  • 7 Models
BeyondTrust Secure Remote Access T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: CA Technologies

Product MITRE ATT&CK® TTP Content
CA Privileged Access Manager Server Control T1078 - Valid Accounts
T1555.005 - T1555.005
  • 12 Rules
  • 7 Models

Vendor: CDS

Product MITRE ATT&CK® TTP Content
CDS T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 3 Rules
  • 1 Models

Vendor: Check Point

Product MITRE ATT&CK® TTP Content
Check Point NGFW T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 7 Rules
  • 6 Models
Check Point Security Gateway T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: Cisco

Product MITRE ATT&CK® TTP Content
AnyConnect T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models
Cisco T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Cisco ACS T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Cisco Adaptive Security Appliance T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 55 Rules
  • 12 Models
Cisco Firepower T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 53 Rules
  • 11 Models
Cisco IOS T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 47 Rules
  • 7 Models
Cisco ISE T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 6 Rules
  • 2 Models
Duo Access T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Citrix

Product MITRE ATT&CK® TTP Content
Citrix Gateway T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 53 Rules
  • 11 Models
Citrix ShareFile T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Citrix Virtual Apps T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Claroty

Product MITRE ATT&CK® TTP Content
CTD T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Click Studios

Product MITRE ATT&CK® TTP Content
Passwordstate T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 2 Models

Vendor: Cloudflare

Product MITRE ATT&CK® TTP Content
Cloudflare Insights T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Code42

Product MITRE ATT&CK® TTP Content
Code42 Incydr T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: CrowdStrike

Product MITRE ATT&CK® TTP Content
Falcon T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 50 Rules
  • 8 Models

Vendor: CyberArk

Product MITRE ATT&CK® TTP Content
Cyberark Privilege Access Management T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 16 Rules
  • 8 Models

Vendor: Delinea

Product MITRE ATT&CK® TTP Content
Centrify Infrastructure Services T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Centrify Zero Trust Privilege Services T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Dell

Product MITRE ATT&CK® TTP Content
One Identity Manager T1078 - Valid Accounts
T1555.005 - T1555.005
  • 10 Rules
  • 6 Models
Sonicwall T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 7 Rules
  • 6 Models

Vendor: Digital Guardian

Product MITRE ATT&CK® TTP Content
Digital Guardian Endpoint Protection T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 50 Rules
  • 8 Models

Vendor: Dropbox

Product MITRE ATT&CK® TTP Content
Dropbox T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 8 Rules
  • 5 Models

Vendor: Dtex Systems

Product MITRE ATT&CK® TTP Content
DTEX InTERCEPT T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 47 Rules
  • 7 Models

Vendor: ESET

Product MITRE ATT&CK® TTP Content
ESET Endpoint Security T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Epic

Product MITRE ATT&CK® TTP Content
Epic SIEM T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Exabeam

Product MITRE ATT&CK® TTP Content
Search T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Extreme Networks

Product MITRE ATT&CK® TTP Content
Zebra WLAN Management T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: F5

Product MITRE ATT&CK® TTP Content
F5 Access Policy Manager T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models
F5 Advanced Web Application Firewall T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 55 Rules
  • 12 Models
F5 BIG-IP T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 7 Rules
  • 6 Models

Vendor: FTP

Product MITRE ATT&CK® TTP Content
FTP T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Fortinet

Product MITRE ATT&CK® TTP Content
Fortinet UTM T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Fortinet VPN T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: GitHub

Product MITRE ATT&CK® TTP Content
GitHub T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: GoAnywhere

Product MITRE ATT&CK® TTP Content
GoAnywhere MFT T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 3 Rules
  • 1 Models

Vendor: Google

Product MITRE ATT&CK® TTP Content
Google Cloud Platform T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Google Workspace T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: HP

Product MITRE ATT&CK® TTP Content
HPE Comware T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models

Vendor: HelpSystems

Product MITRE ATT&CK® TTP Content
Powertech Identity and Access Manager T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 55 Rules
  • 12 Models

Vendor: Huawei

Product MITRE ATT&CK® TTP Content
Huawei Unified Security Gateway T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models

Vendor: IBM

Product MITRE ATT&CK® TTP Content
IBM Mainframe T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
IBM Resource Access Control Facility T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Infoblox

Product MITRE ATT&CK® TTP Content
BloxOne DDI T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Ipswitch

Product MITRE ATT&CK® TTP Content
MoveIt Transfer T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Ivanti

Product MITRE ATT&CK® TTP Content
Pulse Secure T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 8 Rules
  • 5 Models

Vendor: Juniper Networks

Product MITRE ATT&CK® TTP Content
Junos OS T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models

Vendor: Kemp

Product MITRE ATT&CK® TTP Content
Kemp LoadMaster T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: LanScope

Product MITRE ATT&CK® TTP Content
LanScope Cat T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 50 Rules
  • 8 Models

Vendor: LastPass

Product MITRE ATT&CK® TTP Content
LastPass T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: ManageEngine

Product MITRE ATT&CK® TTP Content
PAM360 T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 2 Models

Vendor: McAfee

Product MITRE ATT&CK® TTP Content
McAfee Endpoint Security T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models
Skyhigh Networks CASB T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Microsoft

Product MITRE ATT&CK® TTP Content
Azure T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Azure AD Activity Logs T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Azure Monitor T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Azure Monitor - VM Insights T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Event Viewer - ADFS T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 2 Models
Event Viewer - DHCP-Server T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Event Viewer - DNSServer T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Event Viewer - NTLM T1210 - Exploitation of Remote Services
  • 1 Rules
Event Viewer - PowerShell T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Event Viewer - Security T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484 - Group Policy Modification
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 74 Rules
  • 21 Models
Event Viewer - System T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 51 Rules
  • 10 Models
Event Viewer - TerminalServices-Gateway T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Microsoft 365 T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 48 Rules
  • 7 Models
Microsoft CAS T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Microsoft Defender for Endpoint T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 48 Rules
  • 7 Models
Microsoft Exchange T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Sysmon T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 50 Rules
  • 8 Models
Windows T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 52 Rules
  • 10 Models

Vendor: Mimecast

Product MITRE ATT&CK® TTP Content
Mimecast Secure Email Gateway T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: NCP

Product MITRE ATT&CK® TTP Content
NCP T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: Nagios

Product MITRE ATT&CK® TTP Content
Nagios T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: NetApp

Product MITRE ATT&CK® TTP Content
NetApp T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Netskope

Product MITRE ATT&CK® TTP Content
Netskope Security Cloud T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 2 Models

Vendor: Netwrix

Product MITRE ATT&CK® TTP Content
Netwrix Auditor T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Nortel Contivity

Product MITRE ATT&CK® TTP Content
Nortel Contivity VPN T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: Okta

Product MITRE ATT&CK® TTP Content
Okta Adaptive MFA T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: OneLogin

Product MITRE ATT&CK® TTP Content
OneLogin T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Open VPN

Product MITRE ATT&CK® TTP Content
Open VPN T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: Oracle

Product MITRE ATT&CK® TTP Content
Oracle Database T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models
Oracle Public Cloud T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Palo Alto Networks

Product MITRE ATT&CK® TTP Content
GlobalProtect T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 8 Rules
  • 5 Models
Palo Alto NGFW T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 8 Rules
  • 6 Models
Prisma Cloud T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Progress

Product MITRE ATT&CK® TTP Content
Progress Database T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Proofpoint

Product MITRE ATT&CK® TTP Content
ObserveIT T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Proofpoint Email Protection T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models
Proofpoint Enterprise Protection T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: QUSH

Product MITRE ATT&CK® TTP Content
Reveal T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: RSA

Product MITRE ATT&CK® TTP Content
SecurID T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: SAP

Product MITRE ATT&CK® TTP Content
SAP T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Sailpoint

Product MITRE ATT&CK® TTP Content
IdentityNow T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Salesforce

Product MITRE ATT&CK® TTP Content
Salesforce T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 13 Rules
  • 7 Models

Vendor: SecureAuth

Product MITRE ATT&CK® TTP Content
SecureAuth IDP T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
SecureAuth Login T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: SecureNet

Product MITRE ATT&CK® TTP Content
SecureNet T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models

Vendor: SentinelOne

Product MITRE ATT&CK® TTP Content
Singularity Platform T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 47 Rules
  • 7 Models

Vendor: ServiceNow

Product MITRE ATT&CK® TTP Content
ServiceNow T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: SkySea

Product MITRE ATT&CK® TTP Content
SkySea ClientView T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484 - Group Policy Modification
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 53 Rules
  • 7 Models

Vendor: Sophos

Product MITRE ATT&CK® TTP Content
Sophos Endpoint Protection T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: SunOne

Product MITRE ATT&CK® TTP Content
SunOne T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Symantec

Product MITRE ATT&CK® TTP Content
Symantec Advanced Threat Protection T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 48 Rules
  • 7 Models
Symantec Critical System Protection T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1555.005 - T1555.005
  • 11 Rules
  • 6 Models
Symantec Endpoint Protection T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Tanium

Product MITRE ATT&CK® TTP Content
Tanium Cloud Platform T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Tanium Core Platform T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Tanium Integrity Monitor T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Tanium Threat Response T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Unix

Product MITRE ATT&CK® TTP Content
Auditbeat T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Unix T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 61 Rules
  • 14 Models
Unix Auditd T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 61 Rules
  • 14 Models
Unix Named T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Unix Privilege Management T1078 - Valid Accounts
T1555.005 - T1555.005
  • 10 Rules
  • 6 Models

Vendor: VMware

Product MITRE ATT&CK® TTP Content
Carbon Black App Control T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 47 Rules
  • 7 Models
Carbon Black CES T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
Carbon Black EDR T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 45 Rules
  • 6 Models
VMware AirWatch T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
VMware ESXi T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Vectra

Product MITRE ATT&CK® TTP Content
Vectra Cognito Stream T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models

Vendor: Wazuh

Product MITRE ATT&CK® TTP Content
Wazuh T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Zeek

Product MITRE ATT&CK® TTP Content
Zeek T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
T1484 - Group Policy Modification
T1555.005 - T1555.005
  • 11 Rules
  • 2 Models

Vendor: Zendesk

Product MITRE ATT&CK® TTP Content
Zendesk T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor:

Vendor: iManage

Product MITRE ATT&CK® TTP Content
iManage T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: oVirt

Product MITRE ATT&CK® TTP Content
oVirt T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models