Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 58.4 KB

ds_microsoft_microsoft_defender.md

File metadata and controls

19 lines (17 loc) · 58.4 KB

Vendor: Microsoft

Product: Microsoft Defender

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
850 264 175 36 188
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-create:success (account-creation)
microsoft-defenderep-json-user-create-success-useraccountcreated

user-disable:success (account-disabled)
microsoft-defenderep-json-user-disable-success-accountdisabled

user-enable:success (account-enabled)
microsoft-defenderep-json-user-enable-success-accountenabled

user-password-modify:success (account-password-change)
microsoft-defenderep-json-user-password-modify-success-passwordchanged

scheduled_task-trigger:success (app-activity)
microsoft-defenderep-json-app-activity-success-clrunbackedmoduleloaded
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-script-execute-success-scriptcontent
microsoft-defenderep-json-network-notification-success-networkinfo
microsoft-defenderep-json-network-notification-advancedhunting
microsoft-defenderep-cef-network-notification-advancedhunting
microsoft-defenderep-json-group-modify-success-groupmembershipchanged
microsoft-defenderep-xml-endpoint-activity-success-eventid
microsoft-defenderep-kv-endpoint-activity-deviceevents
microsoft-defenderep-json-endpoint-activity-registryevents
microsoft-defenderep-json-clipboard-read-getclipboarddata
microsoft-defenderep-sk4-clipboard-read-getclipboarddata
microsoft-defenderep-str-app-notification-upandrunning
microsoft-defenderep-str-app-notification-clienthealthreport
microsoft-defenderep-str-app-notification-stateupdated
microsoft-defenderep-str-app-notification-avsignatureupdated
microsoft-defenderep-str-app-notification-versionupdated
microsoft-defenderep-kv-app-notification-scanfinished
microsoft-defenderep-str-app-notification-versionupdated-1
microsoft-defenderep-str-app-notification-encounterederror
microsoft-defenderep-xml-app-notification-success-1150
microsoft-defenderep-str-app-notification-removedhistory
microsoft-defenderep-cef-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-sk4-endpoint-notification-huntingdeviceevents
microsoft-defenderep-json-endpoint-notification-pnpdeviceconnected
microsoft-defenderep-json-endpoint-notification-deviceinfo
microsoft-defenderep-kv-endpoint-notification-eventhubbeat
microsoft-defenderep-cef-endpoint-notification-deviceconnected
microsoft-defenderep-json-endpoint-notification-success-devicefilecertificateinfo
microsoft-defenderep-json-app-notification-success-emailpostdeliveryevent
microsoft-defenderep-json-endpoint-activity-success-identityqueryevents
microsoft-defenderep-json-endpoint-activity-success-deviceevents
microsoft-defenderep-sk4-endpoint-activity-deviceevents
microsoft-365defender-json-endpoint-activity-success-publish-identityinfo
microsoft-defenderep-sk4-alert-trigger-acgenforced
microsoft-defenderep-sk4-alert-trigger-theftblocked
microsoft-defenderep-json-alert-trigger-success-childprocessaudited
microsoft-defenderep-sk4-alert-trigger-antivirusreport
microsoft-defenderep-json-alert-trigger-antivirusreport
microsoft-defenderep-sk4-alert-trigger-theftaudited
microsoft-defenderep-sk4-alert-trigger-childprocessaudited
microsoft-defenderep-json-endpoint-activity-success-directoryservicesreplication
microsoft-defenderep-json-endpoint-activity-success-directoryservicesreplication

endpoint-login:fail (authentication-failed)
microsoft-defenderep-json-endpoint-login-identitylogonevents
microsoft-windows-cef-endpoint-login-device

endpoint-login:success (authentication-successful)
microsoft-defenderep-json-endpoint-login-identitylogonevents
microsoft-windows-cef-endpoint-login-device

endpoint-login:fail (failed-logon)
microsoft-defenderep-cef-endpoint-login-service
microsoft-defenderep-cef-endpoint-login-remoteinteractive
microsoft-defenderep-cef-endpoint-login-network
microsoft-defenderep-cef-endpoint-login-interactive
microsoft-defenderep-cef-endpoint-login-batch

endpoint-login:success (local-logon)
microsoft-defenderep-cef-endpoint-login-interactive

group-member-add:success (member-added)
microsoft-defenderep-json-group-member-add-success-useraccountadded
microsoft-azure-kv-group-member-add-success-eventhubbeat

group-member-remove:success (member-removed)
microsoft-defenderep-json-group-member-remove-success-useraccountremoved
microsoft-azure-kv-group-member-remove-success-deviceevents

endpoint-login:success (remote-access)
microsoft-defenderep-cef-endpoint-login-network

endpoint-login:success (remote-logon)
microsoft-defenderep-json-rdp-traffic-success
microsoft-azure-csv-rdp-traffic-success-vmid
microsoft-defenderep-cef-endpoint-login-remoteinteractive

http-traffic:success (web-activity-allowed)
microsoft-defenderep-json-http-session-success-urlclickevents

http-session:fail (web-activity-denied)
microsoft-defenderep-json-http-session-success-urlclickevents
 T1021 - Remote Services
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 55 Rules
  • 26 Models
Account Manipulation user-create:success (account-creation)
microsoft-defenderep-json-user-create-success-useraccountcreated

user-password-modify:success (account-password-change)
microsoft-defenderep-json-user-password-modify-success-passwordchanged

scheduled_task-trigger:success (app-activity)
microsoft-defenderep-json-app-activity-success-clrunbackedmoduleloaded
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-json-script-execute-success-scriptcontent
microsoft-defenderep-json-network-notification-success-networkinfo
microsoft-defenderep-json-network-notification-advancedhunting
microsoft-defenderep-cef-network-notification-advancedhunting
microsoft-defenderep-json-group-modify-success-groupmembershipchanged
microsoft-defenderep-xml-endpoint-activity-success-eventid
microsoft-defenderep-kv-endpoint-activity-deviceevents
microsoft-defenderep-json-endpoint-activity-registryevents
microsoft-defenderep-json-clipboard-read-getclipboarddata
microsoft-defenderep-sk4-clipboard-read-getclipboarddata
microsoft-defenderep-str-app-notification-upandrunning
microsoft-defenderep-str-app-notification-clienthealthreport
microsoft-defenderep-str-app-notification-stateupdated
microsoft-defenderep-str-app-notification-avsignatureupdated
microsoft-defenderep-str-app-notification-versionupdated
microsoft-defenderep-kv-app-notification-scanfinished
microsoft-defenderep-str-app-notification-versionupdated-1
microsoft-defenderep-str-app-notification-encounterederror
microsoft-defenderep-xml-app-notification-success-1150
microsoft-defenderep-str-app-notification-removedhistory
microsoft-defenderep-cef-endpoint-notification-advancehuntingdevinfo
microsoft-defenderep-sk4-endpoint-notification-huntingdeviceevents
microsoft-defenderep-json-endpoint-notification-pnpdeviceconnected
microsoft-defenderep-json-endpoint-notification-deviceinfo
microsoft-defenderep-kv-endpoint-notification-eventhubbeat
microsoft-defenderep-cef-endpoint-notification-deviceconnected
microsoft-defenderep-json-endpoint-notification-success-devicefilecertificateinfo
microsoft-defenderep-json-app-notification-success-emailpostdeliveryevent
microsoft-defenderep-json-endpoint-activity-success-identityqueryevents
microsoft-defenderep-json-endpoint-activity-success-deviceevents
microsoft-defenderep-sk4-endpoint-activity-deviceevents
microsoft-365defender-json-endpoint-activity-success-publish-identityinfo
microsoft-defenderep-sk4-alert-trigger-acgenforced
microsoft-defenderep-sk4-alert-trigger-theftblocked
microsoft-defenderep-json-alert-trigger-success-childprocessaudited
microsoft-defenderep-sk4-alert-trigger-antivirusreport
microsoft-defenderep-json-alert-trigger-antivirusreport
microsoft-defenderep-sk4-alert-trigger-theftaudited
microsoft-defenderep-sk4-alert-trigger-childprocessaudited
microsoft-defenderep-json-endpoint-activity-success-directoryservicesreplication
microsoft-defenderep-json-endpoint-activity-success-directoryservicesreplication

group-member-add:success (member-added)
microsoft-defenderep-json-group-member-add-success-useraccountadded
microsoft-azure-kv-group-member-add-success-eventhubbeat

group-member-remove:success (member-removed)
microsoft-defenderep-json-group-member-remove-success-useraccountremoved
microsoft-azure-kv-group-member-remove-success-deviceevents

process-create:success (process-created)
microsoft-defenderep-json-process-create-success-events
microsoft-defenderep-cef-process-create-success-processcreated
microsoft-defenderep-sk4-process-create-success-processcreated
microsoft-windows-cef-process-create-success-process
microsoft-defenderep-json-process-memory-allocate-success-ntallocatevirtualmemory
microsoft-defenderep-cef-process-memory-allocate-advancedhunting-1
microsoft-defenderep-cef-script-execute-powershellcommand
microsoft-defenderep-json-script-execute-success-powershellcommand
microsoft-defenderep-json-process-create-success-processcreatedusingwmiquery
microsoft-azure-kv-process-create-success-processcreated
microsoft-azure-kv-process-create-success-powershellcommand
microsoft-defenderep-sk4-process-create-success-deviceprocessevents
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021 - Remote Services
T1021.003 - T1021.003
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1218 - Signed Binary Proxy Execution
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559 - Inter-Process Communication
T1559.002 - T1559.002
  • 59 Rules
  • 25 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Replication Through Removable Media

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Software Deployment Tools

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Hijack Execution Flow: DLL Side-Loading

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Unsecured Credentials

Brute Force

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Software Deployment Tools

Replication Through Removable Media

Internal Spearphishing

 Screen Capture

Data from Information Repositories

Email Collection

Audio Capture

Archive Collected Data

Email Collection: Email Forwarding Rule

 Web Service

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Automated Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Account Access Removal

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery