Vendor: GitHub Product: GitHub Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 418 84 146 9 60 Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access user-create:success (account-creation) ↳github-g-json-app-activity-document_id scheduled_task-trigger:success (app-activity) ↳github-g-json-app-activity-success-actorid ↳github-g-json-app-activity-success-pullrequestreviewcommentcreate ↳github-g-json-app-activity-success-preparedworkflowjob ↳github-g-json-app-activity-success-pullrequestcreatereviewrequest ↳github-g-json-app-activity-success-secretscanningalert ↳github-g-json-app-activity-success-workflowscompletedworkflowrun ↳github-g-json-app-activity-success-githubaudit ↳github-g-json-app-activity-success-workflowscreatedworkflowrun ↳github-g-json-app-activity-success-code_scanning ↳github-g-kv-app-activity-success-githubunicorn ↳github-g-json-app-activity-success-apirequest ↳github-g-json-app-activity-success-integrationinstallation ↳github-g-json-app-activity-success-pullrequestreviewsubmit ↳github-g-json-app-activity-success-issuecommentupdate ↳github-g-json-configuration-create-success-environmentcreate ↳github-g-json-hook-delete-success-hookdestroy ↳github-g-json-hook-modify-success-hookconfigchanged ↳github-g-json-branch-protection-enable-success-protectedbranchcreate ↳github-g-json-branch-protection-disable-success-protectedbranchdestroy ↳github-g-json-user-invite-success-org ↳github-g-json-http-request-success-githubaudithook ↳github-g-json-repository-create-success-gitclone ↳github-g-sk4-repository-create-success-createevent ↳github-g-json-repository-create-success-githubauditrepo ↳github-g-csv-repository-create-success-projectcreate ↳github-g-csv-repository-modify-success-update ↳github-g-json-user-create-success-githubauditteam ↳github-g-kv-app-activity-controller ↳github-g-json-app-activity-success-namespaceid ↳github-g-kv-http-request-api ↳github-g-kv-http-request-githubunicorn ↳github-g-json-app-activity-document_id ↳github-g-json-app-activity-document_id ↳github-g-json-app-activity-document_id ↳github-g-json-app-activity-success-pullrequest ↳github-g-json-app-activity-success-issuecommentdestroy ↳github-g-sk4-repository-create-success-github ↳github-g-json-app-activity-success-workflows ↳github-g-json-app-activity-success-team ↳github-g-json-app-activity-success-org ↳github-g-json-branch-modify-success-pullrequestmerge ↳github-g-json-branch-modify-success-pullrequestindirectmerge ↳github-g-json-repository-push-success-gitpush ↳github-g-sk4-repository-push-success-pushevent ↳github-g-json-repository-pull-success-gitfetch ↳github-g-sk4-repository-pull-success-pullrequestevent ↳github-g-json-repository-pull-success-repodownloadzip ↳github-g-json-branch-create-success-pullrequestcreate ↳github-g-sk4-repository-member-add-success-memberevent ↳github-g-json-repository-member-add-success-teamaddmember ↳github-g-sk4-repository-delete-success-deleteevent ↳github-g-json-hook-create-success-repocreate ↳github-g-json-repository-create-success-repocreate ↳github-g-json-key-read-success-publickeyverify ↳github-g-json-key-create-success-publickeycreate ↳github-g-json-key-delete-success-publickeydelete ↳github-g-json-branch-protection-modify-success-policyoverride ↳github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced ↳github-g-json-branch-protection-modify-success-protectedbranchupdate ↳github-g-json-repository-modify-success-repo ↳github-g-json-repository-modify-success-repo app-login:success (app-login) ↳github-g-kv-app-login-authentication ↳github-g-json-app-activity-document_id ↳github-g-json-app-login-success-user_sign_in endpoint-login:fail (authentication-failed) ↳github-g-json-app-authentication-fail-authorizationdeauthorize endpoint-login:success (authentication-successful) ↳github-g-json-app-authentication-success-authorizationgrant ↳github-g-json-app-authentication-success-accessgranted ↳github-g-kv-app-authentication-success-gitauth ↳github-g-json-app-authentication-success-orgssoresponse ↳github-g-json-app-authentication-success-businessssoresponse app-login:fail (failed-app-login) ↳github-g-kv-app-login-authentication ↳github-g-json-app-login-fail-failedlogin group-member-remove:success (member-removed) ↳github-g-json-group-member-remove-success-teamremovemember T1078 - Valid AccountsT1133 - External Remote Services 15 Rules4 Models Account Manipulation user-create:success (account-creation) ↳github-g-json-app-activity-document_id scheduled_task-trigger:success (app-activity) ↳github-g-json-app-activity-success-actorid ↳github-g-json-app-activity-success-pullrequestreviewcommentcreate ↳github-g-json-app-activity-success-preparedworkflowjob ↳github-g-json-app-activity-success-pullrequestcreatereviewrequest ↳github-g-json-app-activity-success-secretscanningalert ↳github-g-json-app-activity-success-workflowscompletedworkflowrun ↳github-g-json-app-activity-success-githubaudit ↳github-g-json-app-activity-success-workflowscreatedworkflowrun ↳github-g-json-app-activity-success-code_scanning ↳github-g-kv-app-activity-success-githubunicorn ↳github-g-json-app-activity-success-apirequest ↳github-g-json-app-activity-success-integrationinstallation ↳github-g-json-app-activity-success-pullrequestreviewsubmit ↳github-g-json-app-activity-success-issuecommentupdate ↳github-g-json-configuration-create-success-environmentcreate ↳github-g-json-hook-delete-success-hookdestroy ↳github-g-json-hook-modify-success-hookconfigchanged ↳github-g-json-branch-protection-enable-success-protectedbranchcreate ↳github-g-json-branch-protection-disable-success-protectedbranchdestroy ↳github-g-json-user-invite-success-org ↳github-g-json-http-request-success-githubaudithook ↳github-g-json-repository-create-success-gitclone ↳github-g-sk4-repository-create-success-createevent ↳github-g-json-repository-create-success-githubauditrepo ↳github-g-csv-repository-create-success-projectcreate ↳github-g-csv-repository-modify-success-update ↳github-g-json-user-create-success-githubauditteam ↳github-g-kv-app-activity-controller ↳github-g-json-app-activity-success-namespaceid ↳github-g-kv-http-request-api ↳github-g-kv-http-request-githubunicorn ↳github-g-json-app-activity-document_id ↳github-g-json-app-activity-document_id ↳github-g-json-app-activity-document_id ↳github-g-json-app-activity-success-pullrequest ↳github-g-json-app-activity-success-issuecommentdestroy ↳github-g-sk4-repository-create-success-github ↳github-g-json-app-activity-success-workflows ↳github-g-json-app-activity-success-team ↳github-g-json-app-activity-success-org ↳github-g-json-branch-modify-success-pullrequestmerge ↳github-g-json-branch-modify-success-pullrequestindirectmerge ↳github-g-json-repository-push-success-gitpush ↳github-g-sk4-repository-push-success-pushevent ↳github-g-json-repository-pull-success-gitfetch ↳github-g-sk4-repository-pull-success-pullrequestevent ↳github-g-json-repository-pull-success-repodownloadzip ↳github-g-json-branch-create-success-pullrequestcreate ↳github-g-sk4-repository-member-add-success-memberevent ↳github-g-json-repository-member-add-success-teamaddmember ↳github-g-sk4-repository-delete-success-deleteevent ↳github-g-json-hook-create-success-repocreate ↳github-g-json-repository-create-success-repocreate ↳github-g-json-key-read-success-publickeyverify ↳github-g-json-key-create-success-publickeycreate ↳github-g-json-key-delete-success-publickeydelete ↳github-g-json-branch-protection-modify-success-policyoverride ↳github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced ↳github-g-json-branch-protection-modify-success-protectedbranchupdate ↳github-g-json-repository-modify-success-repo ↳github-g-json-repository-modify-success-repo group-member-remove:success (member-removed) ↳github-g-json-group-member-remove-success-teamremovemember process-create:success (process-created) ↳github-g-json-process-create-success-ssh_command T1003 - OS Credential DumpingT1003.003 - T1003.003T1021 - Remote ServicesT1021.003 - T1021.003T1059 - Command and Scripting InterperterT1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1136.002 - T1136.002T1218 - Signed Binary Proxy ExecutionT1218.010 - Signed Binary Proxy Execution: Regsvr32T1531 - Account Access RemovalT1559 - Inter-Process CommunicationT1559.002 - T1559.002 50 Rules21 Models Audit Tampering process-create:success (process-created) ↳github-g-json-process-create-success-ssh_command T1059 - Command and Scripting InterperterT1070 - Indicator Removal on HostT1070.001 - Indicator Removal on Host: Clear Windows Event LogsT1546 - Event Triggered ExecutionT1546.003 - T1546.003T1562 - Impair DefensesT1562.006 - T1562.006 4 Rules Cryptomining process-create:success (process-created) ↳github-g-json-process-create-success-ssh_command T1496 - Resource Hijacking 1 Rules Data Exfiltration process-create:success (process-created) ↳github-g-json-process-create-success-ssh_command T1003 - OS Credential DumpingT1040 - Network SniffingT1041 - Exfiltration Over C2 ChannelT1048 - Exfiltration Over Alternative ProtocolT1059 - Command and Scripting InterperterT1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1071.002 - Application Layer Protocol: File Transfer ProtocolsT1071.004 - Application Layer Protocol: DNST1552 - Unsecured CredentialsT1552.001 - T1552.001T1560 - Archive Collected DataT1572 - Protocol Tunneling 7 Rules Evasion process-create:success (process-created) ↳github-g-json-process-create-success-ssh_command T1027 - Obfuscated Files or InformationT1027.004 - Obfuscated Files or Information: Compile After DeliveryT1036 - MasqueradingT1036.003 - Masquerading: Rename System UtilitiesT1036.005 - Masquerading: Match Legitimate Name or LocationT1059 - Command and Scripting InterperterT1059.001 - Command and Scripting Interperter: PowerShellT1059.005 - T1059.005T1070 - Indicator Removal on HostT1070.001 - Indicator Removal on Host: Clear Windows Event LogsT1105 - Ingress Tool TransferT1127 - Trusted Developer Utilities Proxy ExecutionT1127.001 - Trusted Developer Utilities Proxy Execution: MSBuildT1140 - Deobfuscate/Decode Files or InformationT1197 - BITS JobsT1202 - Indirect Command ExecutionT1203 - Exploitation for Client ExecutionT1218 - Signed Binary Proxy ExecutionT1218.002 - Signed Binary Proxy Execution: Control PanelT1218.004 - Signed Binary Proxy Execution: InstallUtilT1218.008 - T1218.008T1218.009 - Signed Binary Proxy Execution: Regsvcs/RegasmT1218.010 - Signed Binary Proxy Execution: Regsvr32T1218.011 - Signed Binary Proxy Execution: Rundll32T1484 - Group Policy ModificationT1484.001 - T1484.001T1542 - Pre-OS BootT1542.003 - T1542.003T1543 - Create or Modify System ProcessT1543.003 - Create or Modify System Process: Windows ServiceT1552 - Unsecured CredentialsT1552.006 - T1552.006T1562 - Impair DefensesT1562.001 - T1562.001T1562.004 - Impair Defenses: Disable or Modify System FirewallT1562.006 - T1562.006T1564 - Hide ArtifactsT1564.001 - T1564.001T1564.004 - Hide Artifacts: NTFS File AttributesT1574 - Hijack Execution Flow 44 Rules3 Models Phishing process-create:success (process-created) ↳github-g-json-process-create-success-ssh_command T1566 - PhishingT1566.001 - T1566.001 1 Rules Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing ApplicationPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryHijack Execution Flow: DLL Side-LoadingMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop Protocol Screen CaptureEmail CollectionAudio CaptureArchive Collected DataEmail Collection: Email Forwarding Rule Protocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareIngress Tool TransferProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over C2 Channel Account Access RemovalResource HijackingData Encrypted for ImpactInhibit System Recovery