Skip to content

Latest commit

 

History

History
23 lines (21 loc) · 15 KB

ds_sap_sap.md

File metadata and controls

23 lines (21 loc) · 15 KB

Vendor: SAP

Product: SAP

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
195 79 37 13 10
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-create:success (account-creation)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-create-success-created

user-delete:success (account-deleted)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-delete-success-deleted

user-lock:success (account-lockout)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-lock-success-locked

user-password-modify:success (account-password-change)
sap-s-cef-user-password-modify-success-changed
sap-s-cef-user-password-modify-success-loginforsso

user-unlock:success (account-unlocked)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-unlock-success-unlocked

app-activity:success (app-activity)
sap-s-cef-user-delete-fail-audit

app-login:success (app-login)
sap-s-cef-app-login-success-dialoglogonsuccessful
sap-s-json-app-login-success-sm20logon

vpn-login:fail (authentication-failed)
sap-s-cef-endpoint-authentication-logon
sap-s-cef-endpoint-login-fail-secude

vpn-authentication:success (authentication-successful)
sap-s-cef-endpoint-authentication-logon
sap-s-cef-endpoint-login-success-assertion-1
sap-s-cef-endpoint-login-success-assertion

app-login:fail (failed-app-login)
sap-s-cef-app-login-fail-dialoglogonfailed

ssh-traffic:success (remote-logon)
sap-s-cef-endpoint-login-fail-cpiclogonfail
sap-s-cef-endpoint-login-success-cpiclogonsuccessful
 T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 36 Rules
  • 14 Models
Account Manipulation user-create:success (account-creation)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-create-success-created

user-delete:success (account-deleted)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-delete-success-deleted

user-password-modify:success (account-password-change)
sap-s-cef-user-password-modify-success-changed
sap-s-cef-user-password-modify-success-loginforsso

app-activity:success (app-activity)
sap-s-cef-user-delete-fail-audit
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 25 Rules
  • 9 Models
Brute Force Attack user-lock:success (account-lockout)
sap-s-cef-user-delete-fail-audit
sap-s-cef-user-lock-success-locked
 T1110 - Brute Force
  • 1 Rules
Data Exfiltration file-write:success (file-write)
sap-s-cef-file-write-success-download
 TA0002 - TA0002
  • 2 Rules
  • 1 Models
Data Leak app-activity:success (app-activity)
sap-s-cef-user-delete-fail-audit

file-write:success (file-write)
sap-s-cef-file-write-success-download
 T1114 - Email Collection
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
  • 4 Rules
Privilege Escalation app-activity:success (app-activity)
sap-s-cef-user-delete-fail-audit

ssh-traffic:success (remote-logon)
sap-s-cef-endpoint-login-fail-cpiclogonfail
sap-s-cef-endpoint-login-success-cpiclogonsuccessful
 T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
  • 5 Rules
  • 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

 Create Account

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

 Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Valid Accounts: Local Accounts

 OS Credential Dumping

Brute Force

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

 File and Directory Discovery

Remote System Discovery

 Remote Services

Use Alternate Authentication Material

 Email Collection

Email Collection: Email Forwarding Rule

 Proxy: Multi-hop Proxy

Proxy

 Account Access Removal

Data Encrypted for Impact