Skip to content

Latest commit

 

History

History
7 lines (7 loc) · 27.1 KB

2_ds_microsoft_azure_atp.md

File metadata and controls

7 lines (7 loc) · 27.1 KB
Raw
Use-Case Activity Type (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Compromised Credentials scheduled_task-trigger:success (app-activity)
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered

app-login:success (app-login)
microsoft-mcas-kv-app-login-success-successauth

app-login:fail (failed-app-login)
microsoft-mcas-kv-app-login-fail-failedauth

alert-trigger:success (network-alert)
microsoft-atp-cef-alert-trigger-success-sensornetwork
microsoft-atp-cef-alert-trigger-success-workspacedirectory
microsoft-atp-cef-alert-trigger-success-sensorlowmemory
microsoft-atp-cef-alert-trigger-success-sensordirectory
microsoft-atp-cef-alert-trigger-success-sensorcapture

alert-trigger:success (security-alert)
microsoft-azureatp-json-alert-trigger-success-passtheticket
microsoft-azureatp-cef-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-cef-alert-trigger-success-securityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert-1
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert-1
microsoft-azureatp-json-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert
microsoft-azureatp-json-alert-trigger-success-enumeratesessions
microsoft-azureatp-json-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert
microsoft-azure-sk4-alert-trigger-success-aatp
microsoft-atp-cef-alert-trigger-success-dnshostname
microsoft-atp-cef-alert-trigger-success-ldapsearch
microsoft-azureatp-json-alert-trigger-success-ldapsensitiveattributereconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-advancedthreatprotection
microsoft-atp-cef-alert-trigger-success-abnormalprotocol
microsoft-atp-cef-alert-trigger-success-maliciousservicecreation
microsoft-atp-cef-alert-trigger-success-dnssuspiciouscommunication
microsoft-atp-cef-alert-trigger-success-dnsremotecodeexecution
microsoft-atp-cef-alert-trigger-success-goldenticketsizeanomaly
microsoft-atp-cef-alert-trigger-success-encryptiondowngrade
microsoft-atp-cef-alert-trigger-success-goldenticket
microsoft-atp-cef-alert-trigger-success-passthehash
microsoft-atp-cef-alert-trigger-success-retrievedataprotectionbackupkey
microsoft-atp-cef-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-directoryservicesroguereplication
microsoft-atp-cef-alert-trigger-success-sensitivegroupmembershipchange
microsoft-atp-cef-alert-trigger-success-forgedpac
microsoft-atp-cef-alert-trigger-success-passtheticket
microsoft-atp-cef-alert-trigger-success-remoteexecution
microsoft-atp-cef-alert-trigger-success-directoryservicesreplicatio
microsoft-atp-cef-alert-trigger-success-forgedprincipal
microsoft-atp-cef-alert-trigger-success-ldapbruteforce
microsoft-azureatp-json-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-abnormalvpn
microsoft-atp-cef-alert-trigger-success-goldenticketencryptiondowngrade
microsoft-atp-cef-alert-trigger-success-directoryservicesroguepromotion
 T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 84 Rules
  • 42 Models
Lateral Movement app-login:success (app-login)
microsoft-mcas-kv-app-login-success-successauth

endpoint-login:fail (authentication-failed)
microsoft-evsecurity-cef-app-authentication-fail-adfsauditing
microsoft-evsecurity-cef-app-authentication-fail-adfsauditing-1

app-login:fail (failed-app-login)
microsoft-mcas-kv-app-login-fail-failedauth

alert-trigger:success (security-alert)
microsoft-azureatp-json-alert-trigger-success-passtheticket
microsoft-azureatp-cef-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-cef-alert-trigger-success-securityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert-1
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert-1
microsoft-azureatp-json-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert
microsoft-azureatp-json-alert-trigger-success-enumeratesessions
microsoft-azureatp-json-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert
microsoft-azure-sk4-alert-trigger-success-aatp
microsoft-atp-cef-alert-trigger-success-dnshostname
microsoft-atp-cef-alert-trigger-success-ldapsearch
microsoft-azureatp-json-alert-trigger-success-ldapsensitiveattributereconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-advancedthreatprotection
microsoft-atp-cef-alert-trigger-success-abnormalprotocol
microsoft-atp-cef-alert-trigger-success-maliciousservicecreation
microsoft-atp-cef-alert-trigger-success-dnssuspiciouscommunication
microsoft-atp-cef-alert-trigger-success-dnsremotecodeexecution
microsoft-atp-cef-alert-trigger-success-goldenticketsizeanomaly
microsoft-atp-cef-alert-trigger-success-encryptiondowngrade
microsoft-atp-cef-alert-trigger-success-goldenticket
microsoft-atp-cef-alert-trigger-success-passthehash
microsoft-atp-cef-alert-trigger-success-retrievedataprotectionbackupkey
microsoft-atp-cef-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-directoryservicesroguereplication
microsoft-atp-cef-alert-trigger-success-sensitivegroupmembershipchange
microsoft-atp-cef-alert-trigger-success-forgedpac
microsoft-atp-cef-alert-trigger-success-passtheticket
microsoft-atp-cef-alert-trigger-success-remoteexecution
microsoft-atp-cef-alert-trigger-success-directoryservicesreplicatio
microsoft-atp-cef-alert-trigger-success-forgedprincipal
microsoft-atp-cef-alert-trigger-success-ldapbruteforce
microsoft-azureatp-json-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-abnormalvpn
microsoft-atp-cef-alert-trigger-success-goldenticketencryptiondowngrade
microsoft-atp-cef-alert-trigger-success-directoryservicesroguepromotion
 T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
  • 4 Rules
Malware app-login:success (app-login)
microsoft-mcas-kv-app-login-success-successauth

dns-request:fail (dns-query)
microsoft-windows-kv-dns-request-success-response
microsoft-windows-cef-dns-request-success-packet

dns-response:success (dns-response)
microsoft-windows-cef-dns-response-success-packet
microsoft-windows-kv-dns-response-success-flags

alert-trigger:success (network-alert)
microsoft-atp-cef-alert-trigger-success-sensornetwork
microsoft-atp-cef-alert-trigger-success-workspacedirectory
microsoft-atp-cef-alert-trigger-success-sensorlowmemory
microsoft-atp-cef-alert-trigger-success-sensordirectory
microsoft-atp-cef-alert-trigger-success-sensorcapture

alert-trigger:success (security-alert)
microsoft-azureatp-json-alert-trigger-success-passtheticket
microsoft-azureatp-cef-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-cef-alert-trigger-success-securityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert-1
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert-1
microsoft-azureatp-json-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert
microsoft-azureatp-json-alert-trigger-success-enumeratesessions
microsoft-azureatp-json-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert
microsoft-azure-sk4-alert-trigger-success-aatp
microsoft-atp-cef-alert-trigger-success-dnshostname
microsoft-atp-cef-alert-trigger-success-ldapsearch
microsoft-azureatp-json-alert-trigger-success-ldapsensitiveattributereconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-advancedthreatprotection
microsoft-atp-cef-alert-trigger-success-abnormalprotocol
microsoft-atp-cef-alert-trigger-success-maliciousservicecreation
microsoft-atp-cef-alert-trigger-success-dnssuspiciouscommunication
microsoft-atp-cef-alert-trigger-success-dnsremotecodeexecution
microsoft-atp-cef-alert-trigger-success-goldenticketsizeanomaly
microsoft-atp-cef-alert-trigger-success-encryptiondowngrade
microsoft-atp-cef-alert-trigger-success-goldenticket
microsoft-atp-cef-alert-trigger-success-passthehash
microsoft-atp-cef-alert-trigger-success-retrievedataprotectionbackupkey
microsoft-atp-cef-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-directoryservicesroguereplication
microsoft-atp-cef-alert-trigger-success-sensitivegroupmembershipchange
microsoft-atp-cef-alert-trigger-success-forgedpac
microsoft-atp-cef-alert-trigger-success-passtheticket
microsoft-atp-cef-alert-trigger-success-remoteexecution
microsoft-atp-cef-alert-trigger-success-directoryservicesreplicatio
microsoft-atp-cef-alert-trigger-success-forgedprincipal
microsoft-atp-cef-alert-trigger-success-ldapbruteforce
microsoft-azureatp-json-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-abnormalvpn
microsoft-atp-cef-alert-trigger-success-goldenticketencryptiondowngrade
microsoft-atp-cef-alert-trigger-success-directoryservicesroguepromotion
 T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
  • 10 Rules
  • 2 Models
Privileged Activity scheduled_task-trigger:success (app-activity)
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered

app-login:success (app-login)
microsoft-mcas-kv-app-login-success-successauth

app-login:fail (failed-app-login)
microsoft-mcas-kv-app-login-fail-failedauth

alert-trigger:success (security-alert)
microsoft-azureatp-json-alert-trigger-success-passtheticket
microsoft-azureatp-cef-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-cef-alert-trigger-success-securityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert-1
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert-1
microsoft-azureatp-json-alert-trigger-success-enumerationsecurityalert
microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert
microsoft-azureatp-json-alert-trigger-success-enumeratesessions
microsoft-azureatp-json-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert
microsoft-azure-sk4-alert-trigger-success-aatp
microsoft-atp-cef-alert-trigger-success-dnshostname
microsoft-atp-cef-alert-trigger-success-ldapsearch
microsoft-azureatp-json-alert-trigger-success-ldapsensitiveattributereconnaissancesecurityalert
microsoft-azureatp-json-alert-trigger-success-advancedthreatprotection
microsoft-atp-cef-alert-trigger-success-abnormalprotocol
microsoft-atp-cef-alert-trigger-success-maliciousservicecreation
microsoft-atp-cef-alert-trigger-success-dnssuspiciouscommunication
microsoft-atp-cef-alert-trigger-success-dnsremotecodeexecution
microsoft-atp-cef-alert-trigger-success-goldenticketsizeanomaly
microsoft-atp-cef-alert-trigger-success-encryptiondowngrade
microsoft-atp-cef-alert-trigger-success-goldenticket
microsoft-atp-cef-alert-trigger-success-passthehash
microsoft-atp-cef-alert-trigger-success-retrievedataprotectionbackupkey
microsoft-atp-cef-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-directoryservicesroguereplication
microsoft-atp-cef-alert-trigger-success-sensitivegroupmembershipchange
microsoft-atp-cef-alert-trigger-success-forgedpac
microsoft-atp-cef-alert-trigger-success-passtheticket
microsoft-atp-cef-alert-trigger-success-remoteexecution
microsoft-atp-cef-alert-trigger-success-directoryservicesreplicatio
microsoft-atp-cef-alert-trigger-success-forgedprincipal
microsoft-atp-cef-alert-trigger-success-ldapbruteforce
microsoft-azureatp-json-alert-trigger-success-smbdataexfiltration
microsoft-atp-cef-alert-trigger-success-abnormalvpn
microsoft-atp-cef-alert-trigger-success-goldenticketencryptiondowngrade
microsoft-atp-cef-alert-trigger-success-directoryservicesroguepromotion
 T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 3 Rules
  • 1 Models
Ransomware app-login:success (app-login)
microsoft-mcas-kv-app-login-success-successauth

endpoint-login:fail (authentication-failed)
microsoft-evsecurity-cef-app-authentication-fail-adfsauditing
microsoft-evsecurity-cef-app-authentication-fail-adfsauditing-1

app-login:fail (failed-app-login)
microsoft-mcas-kv-app-login-fail-failedauth
 T1078 - Valid Accounts
  • 2 Rules