Skip to content

Latest commit

 

History

History
25 lines (23 loc) · 38.8 KB

ds_cisco_cisco_ios.md

File metadata and controls

25 lines (23 loc) · 38.8 KB

Vendor: Cisco

Product: Cisco IOS

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
399 77 146 4 4
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access endpoint-login:fail (authentication-failed)
cisco-cucs-str-endpoint-login-fail-authfailed
cisco-ios-str-endpoint-authentication-fail-authenticationfailed
cisco-ios-mix-endpoint-authentication-fail-loginfailed

endpoint-login:success (authentication-successful)
cisco-ios-str-endpoint-authentication-success-authpassed

endpoint-login:success (remote-logon)
cisco-c-mix-ssh-traffic-success-loginsuccess
cisco-c-str-endpoint-login-success-weblogin
cisco-cwc-str-endpoint-login-success-loginpassed
T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 35 Rules
  • 14 Models
Account Manipulation process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021 - Remote Services
T1021.003 - T1021.003
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218 - Signed Binary Proxy Execution
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559 - Inter-Process Communication
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Audit Tampering process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546 - Event Triggered Execution
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Cryptomining process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1496 - Resource Hijacking
  • 1 Rules
Data Access process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1003 - OS Credential Dumping
  • 1 Rules
Data Exfiltration process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552 - Unsecured Credentials
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 7 Rules
Evasion process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1036.005 - Masquerading: Match Legitimate Name or Location
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.005 - T1059.005
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1105 - Ingress Tool Transfer
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1140 - Deobfuscate/Decode Files or Information
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.008 - T1218.008
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1484 - Group Policy Modification
T1484.001 - T1484.001
T1542 - Pre-OS Boot
T1542.003 - T1542.003
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1552 - Unsecured Credentials
T1552.006 - T1552.006
T1562 - Impair Defenses
T1562.001 - T1562.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1562.006 - T1562.006
T1564 - Hide Artifacts
T1564.001 - T1564.001
T1564.004 - Hide Artifacts: NTFS File Attributes
T1574 - Hijack Execution Flow
  • 44 Rules
  • 3 Models
Phishing process-create:success (process-created)
cisco-npe-kv-process-create-success-loggedcommand
T1566 - Phishing
T1566.001 - T1566.001
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

Phishing

Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Hijack Execution Flow: DLL Side-Loading

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

OS Credential Dumping

Unsecured Credentials

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Screen Capture

Audio Capture

Archive Collected Data

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Ingress Tool Transfer

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over C2 Channel

Account Access Removal

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery