Skip to content

Latest commit

 

History

History
23 lines (21 loc) · 42.9 KB

ds_skysea_skysea_clientview.md

File metadata and controls

23 lines (21 loc) · 42.9 KB

Vendor: SkySea

Product: SkySea ClientView

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
573 148 164 14 5
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access app-activity:success (app-activity)
skysea-cv-csv-app-activity-success-appactivity
skysea-cv-str-app-activity-success-appactivity

printer-activity:success (print-activity)
skysea-cv-csv-printer-activity-success-printactivity

http-traffic:success (web-activity-allowed)
skysea-cv-csv-http-session-web
skysea-cv-csv-http-session-success-web
skysea-cv-csv-http-session-success-webaccess

http-session:fail (web-activity-denied)
skysea-cv-csv-http-session-web
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 18 Rules
  • 10 Models
Account Manipulation app-activity:success (app-activity)
skysea-cv-csv-app-activity-success-appactivity
skysea-cv-str-app-activity-success-appactivity

process-create:success (process-created)
skysea-cv-csv-process-create-success-processcreated
skysea-cv-csv-process-create-success-user
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021 - Remote Services
T1021.003 - T1021.003
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218 - Signed Binary Proxy Execution
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559 - Inter-Process Communication
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
Audit Tampering process-create:success (process-created)
skysea-cv-csv-process-create-success-processcreated
skysea-cv-csv-process-create-success-user
 T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Destruction of Data file-delete:success (file-delete)
skysea-cv-csv-file-success-fileactivity
skysea-cv-csv-file-success-fileactivity-1
 T1070 - Indicator Removal on Host
T1070.004 - Indicator Removal on Host: File Deletion
T1485 - Data Destruction
  • 1 Rules
Evasion process-create:success (process-created)
skysea-cv-csv-process-create-success-processcreated
skysea-cv-csv-process-create-success-user
 T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1036.005 - Masquerading: Match Legitimate Name or Location
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.005 - T1059.005
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1105 - Ingress Tool Transfer
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1140 - Deobfuscate/Decode Files or Information
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.008 - T1218.008
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1484 - Group Policy Modification
T1484.001 - T1484.001
T1542 - Pre-OS Boot
T1542.003 - T1542.003
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1552 - Unsecured Credentials
T1552.006 - T1552.006
T1562 - Impair Defenses
T1562.001 - T1562.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1562.006 - T1562.006
T1564 - Hide Artifacts
T1564.001 - T1564.001
T1564.004 - Hide Artifacts: NTFS File Attributes
T1574 - Hijack Execution Flow
  • 44 Rules
  • 3 Models
Workforce Protection email-send:success (dlp-email-alert-out)
skysea-cv-csv-email-send-success

http-traffic:success (web-activity-allowed)
skysea-cv-csv-http-session-web
skysea-cv-csv-http-session-success-web
skysea-cv-csv-http-session-success-webaccess
 T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 8 Rules
  • 3 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Hijack Execution Flow: DLL Side-Loading

Indicator Removal on Host: File Deletion

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Unsecured Credentials

Forced Authentication

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Internal Spearphishing

 Screen Capture

Email Collection

Audio Capture

Archive Collected Data

Email Collection: Email Forwarding Rule

 Web Service

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Account Access Removal

Data Destruction

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery