| Use-Case | Activity Type (Legacy Event Type)/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Compromised Credentials | endpoint-login:success (authentication-successful) ↳microsoft-rras-kv-authentication-success-authsuccess vpn-login:success (vpn-login) ↳microsoft-rras-str-vpn-login-success-assignedaddress vpn-logout:success (vpn-logout) ↳microsoft-rras-kv-vpn-logout-success-coid ↳microsoft-rras-kv-vpn-logout-success-disconnected |
T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services |
|
| Lateral Movement | endpoint-login:success (authentication-successful) ↳microsoft-rras-kv-authentication-success-authsuccess vpn-login:success (vpn-login) ↳microsoft-rras-str-vpn-login-success-assignedaddress vpn-logout:success (vpn-logout) ↳microsoft-rras-kv-vpn-logout-success-coid ↳microsoft-rras-kv-vpn-logout-success-disconnected |
T1021 - Remote Services T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting |
|