Skip to content

Latest commit

 

History

History
24 lines (22 loc) · 18.2 KB

ds_dell_sonicwall.md

File metadata and controls

24 lines (22 loc) · 18.2 KB
Raw

Vendor: Dell

Product: Sonicwall

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
230 104 46 6 12
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access vpn-login:fail (failed-vpn-login)
dell-sw-kv-vpn-login-fail-sslvpn
dell-sw-cef-vpn-login-fail-userloginfailed
dell-sw-kv-vpn-login-fail-140

endpoint-login:success (remote-logon)
dell-sw-cef-rdp-traffic-success-rdp

vpn-login:success (vpn-login)
sonicwall-sw-kv-vpn-login-success-1080
dell-sw-kv-vpn-login-success-netextenderconnected
dell-sw-cef-vpn-login-success-userloginsuccessful
dell-sw-kv-vpn-login-success-userloginsuccessful
dell-sw-kv-vpn-login-success-platformprefix
dell-sw-str-vpn-login-success-csacl
dell-sw-cef-vpn-login-success-userloginandzoneassignment

vpn-logout:success (vpn-logout)
dell-sw-cef-vpn-logout-success-loggedout
dell-sw-kv-vpn-logout-success-sslvpn
sonicwall-sw-kv-vpn-logout-success-sslvpn
dell-sw-kv-vpn-logout-success-infosystem
dell-sw-cef-vpn-logout-success-sessionend

http-traffic:success (web-activity-allowed)
dell-sw-kv-http-session-category

http-session:fail (web-activity-denied)
dell-sw-kv-http-session-category
 T1021 - Remote Services
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 55 Rules
  • 23 Models
Account Manipulation vpn-logout:success (vpn-logout)
dell-sw-cef-vpn-logout-success-loggedout
dell-sw-kv-vpn-logout-success-sslvpn
sonicwall-sw-kv-vpn-logout-success-sslvpn
dell-sw-kv-vpn-logout-success-infosystem
dell-sw-cef-vpn-logout-success-sessionend
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models
Brute Force Attack vpn-logout:success (vpn-logout)
dell-sw-cef-vpn-logout-success-loggedout
dell-sw-kv-vpn-logout-success-sslvpn
sonicwall-sw-kv-vpn-logout-success-sslvpn
dell-sw-kv-vpn-logout-success-infosystem
dell-sw-cef-vpn-logout-success-sessionend
 T1110 - Brute Force
  • 1 Rules
  • 1 Models
Cryptomining http-traffic:success (web-activity-allowed)
dell-sw-kv-http-session-category

http-session:fail (web-activity-denied)
dell-sw-kv-http-session-category
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 1 Rules
Data Access vpn-logout:success (vpn-logout)
dell-sw-cef-vpn-logout-success-loggedout
dell-sw-kv-vpn-logout-success-sslvpn
sonicwall-sw-kv-vpn-logout-success-sslvpn
dell-sw-kv-vpn-logout-success-infosystem
dell-sw-cef-vpn-logout-success-sessionend
 T1110 - Brute Force
  • 1 Rules
  • 1 Models
Privileged Activity endpoint-login:success (remote-logon)
dell-sw-cef-rdp-traffic-success-rdp

http-traffic:success (web-activity-allowed)
dell-sw-kv-http-session-category

http-session:fail (web-activity-denied)
dell-sw-kv-http-session-category
 T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1102 - Web Service
  • 17 Rules
  • 7 Models
Workforce Protection http-traffic:success (web-activity-allowed)
dell-sw-kv-http-session-category
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 4 Rules
  • 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 User Execution

 External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

Group Policy Modification

 Group Policy Modification

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Obfuscated Files or Information

Valid Accounts: Local Accounts

 Brute Force

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

 Remote System Discovery

 Remote Services

Use Alternate Authentication Material

Internal Spearphishing

 Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Resource Hijacking