Skip to content

Latest commit

 

History

History
30 lines (28 loc) · 12.4 KB

ds_ncp_ncp.md

File metadata and controls

30 lines (28 loc) · 12.4 KB
Raw

Vendor: NCP

Product: NCP

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
72 40 19 3 0
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access endpoint-login:fail (authentication-failed)
ncp-n-str-app-authentication-fail-verificationfailed

vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect

vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1021 - Remote Services
T1078 - Valid Accounts
T1133 - External Remote Services
  • 29 Rules
  • 7 Models
Account Manipulation vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models
Brute Force Attack vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1110 - Brute Force
  • 1 Rules
  • 1 Models
Compromised Credentials vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect

vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 25 Rules
  • 12 Models
Data Access vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1110 - Brute Force
  • 1 Rules
  • 1 Models
Data Exfiltration vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
Data Leak vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1133 - External Remote Services
TA0010 - TA0010
  • 11 Rules
  • 11 Models
Lateral Movement endpoint-login:fail (authentication-failed)
ncp-n-str-app-authentication-fail-verificationfailed

vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect

vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1021 - Remote Services
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • 8 Rules
  • 3 Models
Malware vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect
 T1078 - Valid Accounts
  • 1 Rules
Phishing vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1566 - Phishing
  • 2 Rules
  • 2 Models
Physical Security vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect
 T1133 - External Remote Services
  • 1 Rules
  • 1 Models
Privilege Abuse vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect

vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 3 Rules
  • 2 Models
Privilege Escalation vpn-logout:success (vpn-logout)
ncp-n-str-vpn-logout-success-disconnect
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
  • 5 Rules
  • 5 Models
Ransomware endpoint-login:fail (authentication-failed)
ncp-n-str-app-authentication-fail-verificationfailed

vpn-login:success (vpn-login)
ncp-n-kv-vpn-login-success-connect
 T1078 - Valid Accounts
  • 1 Rules

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Phishing

 External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Group Policy Modification

 Group Policy Modification

Valid Accounts

 Brute Force

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

 Remote Services

 Proxy: Multi-hop Proxy

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over Physical Medium