Skip to content

Latest commit

 

History

History
1282 lines (1280 loc) · 1.07 MB

uc_malware.md

File metadata and controls

1282 lines (1280 loc) · 1.07 MB
Raw

Use Case: Malware

Vendor: 1password

Product MITRE ATT&CK® TTP Content
1password T1078 - Valid Accounts
  • 1 Rules

Vendor: AMD

Product MITRE ATT&CK® TTP Content
Pensando TA0011 - TA0011
  • 4 Rules

Vendor: APC

Product MITRE ATT&CK® TTP Content
APC T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: AVI Networks

Product MITRE ATT&CK® TTP Content
AVI Networks Software Load Balancer T1078 - Valid Accounts
  • 1 Rules

Vendor: Abnormal Security

Product MITRE ATT&CK® TTP Content
Abnormal Security T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Absolute

Product MITRE ATT&CK® TTP Content
Absolute DDS T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Accellion

Product MITRE ATT&CK® TTP Content
Kiteworks T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models

Vendor: Admin By Request

Product MITRE ATT&CK® TTP Content
Admin By Request TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Airlock

Product MITRE ATT&CK® TTP Content
Airlock Security Access Hub T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
TA0011 - TA0011
  • 15 Rules
  • 4 Models

Vendor: Akamai

Product MITRE ATT&CK® TTP Content
Akamai Guardicore T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
Akamai SIEM TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cloud Akamai T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Alert Logic

Product MITRE ATT&CK® TTP Content
Alert Logic Managed Detection and Response TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: AlgoSec

Product MITRE ATT&CK® TTP Content
AlgoSec Firewall Analyzer TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Amazon

Product MITRE ATT&CK® TTP Content
AWS Bastion T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
AWS CloudTrail T1037 - Boot or Logon Initialization Scripts
T1078 - Valid Accounts
T1204 - User Execution
T1204.002 - T1204.002
T1204.003 - T1204.003
TA0002 - TA0002
  • 7 Rules
  • 4 Models
AWS CloudWatch T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 28 Rules
  • 7 Models
AWS Elastic Load Balancer T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
AWS GuardDuty TA0002 - TA0002
  • 4 Rules
  • 2 Models
AWS WAF T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Amazon Route 53 T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules

Vendor: Apache

Product MITRE ATT&CK® TTP Content
Apache T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Apache Guacamole T1078 - Valid Accounts
  • 1 Rules

Vendor: AppSense

Product MITRE ATT&CK® TTP Content
AppSense Application Manager T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 25 Rules
  • 7 Models

Vendor: Apple

Product MITRE ATT&CK® TTP Content
macOS T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Arbor

Product MITRE ATT&CK® TTP Content
Arbor Cloud TA0011 - TA0011
  • 2 Rules

Vendor: Arista Networks

Product MITRE ATT&CK® TTP Content
Awake Security TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Armorblox

Product MITRE ATT&CK® TTP Content
Armorblox T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: AssetView

Product MITRE ATT&CK® TTP Content
AssetView T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models

Vendor: Atlassian

Product MITRE ATT&CK® TTP Content
Atlassian T1078 - Valid Accounts
  • 1 Rules
Atlassian BitBucket T1078 - Valid Accounts
  • 1 Rules

Vendor: Attivo

Product MITRE ATT&CK® TTP Content
BOTsink TA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models

Vendor: Auth0

Product MITRE ATT&CK® TTP Content
Auth0 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models

Vendor: Avaya

Product MITRE ATT&CK® TTP Content
Avaya Ethernet Routing Switch T1078 - Valid Accounts
  • 1 Rules
Avaya VPN T1078 - Valid Accounts
  • 1 Rules

Vendor: Axway

Product MITRE ATT&CK® TTP Content
Axway Gateway T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Banyan Security

Product MITRE ATT&CK® TTP Content
Banyan Security T1078 - Valid Accounts
  • 1 Rules

Vendor: Barracuda

Product MITRE ATT&CK® TTP Content
Barracuda Cloudgen Firewall T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
TA0011 - TA0011
  • 11 Rules
  • 2 Models
Barracuda Email Security Gateway T1190 - Exploit Public Fasing Application
  • 1 Rules
Barracuda WAF TA0011 - TA0011
  • 3 Rules

Vendor: BeyondTrust

Product MITRE ATT&CK® TTP Content
BeyondInsight T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
BeyondTrust T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
BeyondTrust Privileged Identity T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
BeyondTrust Remote Support T1078 - Valid Accounts
  • 1 Rules
BeyondTrust Secure Remote Access T1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: Bitdefender

Product MITRE ATT&CK® TTP Content
GravityZone T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models

Vendor: Bitglass

Product MITRE ATT&CK® TTP Content
Bitglass CASB T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models

Vendor: BlackBerry

Product MITRE ATT&CK® TTP Content
BlackBerry Protect T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 28 Rules
  • 8 Models

Vendor: BlueCat Networks

Product MITRE ATT&CK® TTP Content
BlueCat Networks T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules

Vendor: Box

Product MITRE ATT&CK® TTP Content
Box Cloud Content Management T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Bromium

Product MITRE ATT&CK® TTP Content
Bromium Secure Platform T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models

Vendor: CA Technologies

Product MITRE ATT&CK® TTP Content
CA Privileged Access Manager Server Control T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: CDS

Product MITRE ATT&CK® TTP Content
CDS T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: CatoNetworks

Product MITRE ATT&CK® TTP Content
Cato Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: CenturyLink

Product MITRE ATT&CK® TTP Content
CenturyLink Managed Security Service TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Check Point

Product MITRE ATT&CK® TTP Content
Check Point Anti-Malware TA0002 - TA0002
  • 4 Rules
  • 2 Models
Check Point Avanan T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Check Point Endpoint Security TA0002 - TA0002
  • 4 Rules
  • 2 Models
Check Point Identity Awareness T1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 9 Rules
  • 2 Models
Check Point NGFW T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 36 Rules
  • 9 Models
Check Point Security Gateway T1078 - Valid Accounts
  • 1 Rules
Check Point Threat Emulation TA0002 - TA0002
  • 4 Rules
  • 2 Models
Check Point vSEC Virtual Edition T1078 - Valid Accounts
  • 1 Rules
SmartDefense TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Checkmarx

Product MITRE ATT&CK® TTP Content
Checkmarx T1078 - Valid Accounts
  • 1 Rules

Vendor: Cisco

Product MITRE ATT&CK® TTP Content
Airespace Wireless LAN Controller TA0002 - TA0002
  • 4 Rules
  • 2 Models
AnyConnect T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 25 Rules
  • 6 Models
Cisco T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 2 Rules
Cisco ACI T1078 - Valid Accounts
  • 1 Rules
Cisco ACS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models
Cisco ADC T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models
Cisco Adaptive Security Appliance T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 194 Rules
  • 33 Models
Cisco Cloud Web Security T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Cisco CloudLock TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Cognitive Threat Analytics TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Firepower T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 200 Rules
  • 33 Models
Cisco IOS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 167 Rules
  • 26 Models
Cisco ISE T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Cisco Meraki MX appliance T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models
Cisco Netflow TA0011 - TA0011
  • 3 Rules
Cisco Secure Cloud Analytics TA0011 - TA0011
  • 3 Rules
Cisco Secure Email T1190 - Exploit Public Fasing Application
  • 1 Rules
Cisco Secure Endpoint TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Secure Network Analytics T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models
Cisco Secure Web Appliance T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Cisco Umbrella T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models
Cisco Unified Communications Manager T1078 - Valid Accounts
  • 1 Rules
Duo Access T1078 - Valid Accounts
  • 1 Rules
IronPort Email T1190 - Exploit Public Fasing Application
  • 1 Rules
IronPort Web Security T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Citrix

Product MITRE ATT&CK® TTP Content
Citrix Endpoint Management T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Citrix Gateway T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 192 Rules
  • 33 Models
Citrix ShareFile T1078 - Valid Accounts
  • 1 Rules
Citrix Virtual Apps T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Citrix Virtual Desktop T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Citrix Web App Firewall TA0011 - TA0011
  • 4 Rules

Vendor: Claroty

Product MITRE ATT&CK® TTP Content
CTD T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Claroty TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Clearsense

Product MITRE ATT&CK® TTP Content
Clearsense T1078 - Valid Accounts
  • 1 Rules

Vendor: Clearswift

Product MITRE ATT&CK® TTP Content
Clearswift Secure Email Gateway T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Click Studios

Product MITRE ATT&CK® TTP Content
Passwordstate T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Cloudflare

Product MITRE ATT&CK® TTP Content
Cloudflare CDN TA0002 - TA0002
  • 4 Rules
  • 2 Models
Cloudflare Insights T1078 - Valid Accounts
  • 1 Rules
Cloudflare WAF T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 33 Rules
  • 9 Models

Vendor: Code42

Product MITRE ATT&CK® TTP Content
Code42 Incydr T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models

Vendor: Cofense

Product MITRE ATT&CK® TTP Content
Cofense Phishme TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cognitas CrossLink

Product MITRE ATT&CK® TTP Content
Cognitas CrossLink T1078 - Valid Accounts
  • 1 Rules

Vendor: Cohesity

Product MITRE ATT&CK® TTP Content
Cohesity DataPlatform T1078 - Valid Accounts
  • 1 Rules

Vendor: Contrast Security

Product MITRE ATT&CK® TTP Content
Contrast Agent TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: CrowdStrike

Product MITRE ATT&CK® TTP Content
Falcon T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 208 Rules
  • 44 Models
Identity Threat Detection & Response T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: CyberArk

Product MITRE ATT&CK® TTP Content
CyberArk Endpoint Privilege Manager T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models
CyberArk Privilege Access Manager T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 15 Rules
  • 5 Models

Vendor: Cybereason

Product MITRE ATT&CK® TTP Content
Cybereason TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cylance

Product MITRE ATT&CK® TTP Content
Cylance OPTICS T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 36 Rules
  • 10 Models

Vendor: Cynet

Product MITRE ATT&CK® TTP Content
Cynet EDR T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models

Vendor: Damballa

Product MITRE ATT&CK® TTP Content
Damballa Failsafe TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Darktrace

Product MITRE ATT&CK® TTP Content
Darktrace T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Delinea

Product MITRE ATT&CK® TTP Content
Centrify Audit and Monitoring Service T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models
Centrify Authentication Service T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Centrify Infrastructure Services T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Centrify Zero Trust Privilege Services T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Thycotic Software Secret Server T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Dell

Product MITRE ATT&CK® TTP Content
EMC Isilon T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 13 Rules
  • 5 Models
One Identity Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models
Sonicwall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 31 Rules
  • 9 Models

Vendor: Digital Arts

Product MITRE ATT&CK® TTP Content
Digital Arts i-FILTER for Business T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Digital Guardian

Product MITRE ATT&CK® TTP Content
Digital Guardian Endpoint Protection T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 179 Rules
  • 29 Models
Digital Guardian Network DLP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Dropbox

Product MITRE ATT&CK® TTP Content
Dropbox T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models

Vendor: Dtex Systems

Product MITRE ATT&CK® TTP Content
DTEX InTERCEPT T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 198 Rules
  • 36 Models

Vendor: EMP

Product MITRE ATT&CK® TTP Content
EMP T1078 - Valid Accounts
  • 1 Rules

Vendor: ESET

Product MITRE ATT&CK® TTP Content
ESET Endpoint Security T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: ESector

Product MITRE ATT&CK® TTP Content
ESector DEFESA Logger T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: EdgeWave

Product MITRE ATT&CK® TTP Content
EdgeWave iPrism T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Egnyte

Product MITRE ATT&CK® TTP Content
Egnyte T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Endgame

Product MITRE ATT&CK® TTP Content
Endgame EDR TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Entrust

Product MITRE ATT&CK® TTP Content
Entrust Identity Enterprise T1078 - Valid Accounts
  • 1 Rules

Vendor: Epic

Product MITRE ATT&CK® TTP Content
Epic SIEM T1078 - Valid Accounts
  • 1 Rules

Vendor: Exabeam

Product MITRE ATT&CK® TTP Content
Correlation Rule TA0002 - TA0002
  • 4 Rules
  • 2 Models
Search TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Extrahop

Product MITRE ATT&CK® TTP Content
Extrahop Reveal(x) T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Extreme Networks

Product MITRE ATT&CK® TTP Content
EXOS T1078 - Valid Accounts
  • 1 Rules
Zebra WLAN Management T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: F-Secure

Product MITRE ATT&CK® TTP Content
F-Secure Client Security TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: F5

Product MITRE ATT&CK® TTP Content
F5 Access Policy Manager T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules
F5 Advanced Firewall Manager TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
F5 Advanced Web Application Firewall T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 170 Rules
  • 26 Models
F5 Application Security Manager T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
F5 BIG-IP T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
F5 BIG-IP DNS T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules
F5 IP Intelligence TA0002 - TA0002
  • 4 Rules
  • 2 Models
F5 Local Traffic Manager TA0011 - TA0011
  • 3 Rules
F5 Silverline TA0002 - TA0002
  • 4 Rules
  • 2 Models
F5 WebSafe T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: FTP

Product MITRE ATT&CK® TTP Content
FTP T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Fast Enterprises

Product MITRE ATT&CK® TTP Content
Fast Enterprises GenTax T1078 - Valid Accounts
  • 1 Rules

Vendor: Fastly

Product MITRE ATT&CK® TTP Content
Next-Gen Web Application Firewall TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Fidelis

Product MITRE ATT&CK® TTP Content
Fidelis Network TA0002 - TA0002
  • 4 Rules
  • 2 Models
Fidelis XPS T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: FileAuditor

Product MITRE ATT&CK® TTP Content
FileAuditor T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: FireEye

Product MITRE ATT&CK® TTP Content
FireEye CMS T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
FireEye ETP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
FireEye Email MPS TA0002 - TA0002
  • 4 Rules
  • 2 Models
FireEye Endpoint Security (HX) T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 35 Rules
  • 11 Models
FireEye Helix TA0002 - TA0002
  • 4 Rules
  • 2 Models
FireEye Network Security (NX) T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 47 Rules
  • 12 Models
FireEye Web MPS TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: FireMon

Product MITRE ATT&CK® TTP Content
FireMon T1078 - Valid Accounts
  • 1 Rules

Vendor: Forcepoint

Product MITRE ATT&CK® TTP Content
Forcepoint CASB T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
Forcepoint DLP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Forcepoint Email Security T1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Email Security Gateway T1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Insider Threat TA0002 - TA0002
  • 4 Rules
  • 2 Models
Forcepoint Next-Gen Firewall TA0011 - TA0011
  • 4 Rules
Websense Security Gateway T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Forescout

Product MITRE ATT&CK® TTP Content
EyeInspect T1210 - Exploitation of Remote Services
  • 1 Rules
Forescout CounterACT TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models

Vendor: Fortinet

Product MITRE ATT&CK® TTP Content
EnSilo TA0002 - TA0002
  • 4 Rules
  • 2 Models
FortiAuthenticator T1078 - Valid Accounts
  • 1 Rules
FortiGate T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 39 Rules
  • 9 Models
FortiSIEM T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Fortinet Enterprise Firewall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models
Fortinet UTM T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 31 Rules
  • 9 Models
Fortinet VPN TA0011 - TA0011
  • 3 Rules
Fortiweb Web Application Firewall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: FreeBSD

Product MITRE ATT&CK® TTP Content
FreeBSD T1078 - Valid Accounts
  • 1 Rules

Vendor: GTB

Product MITRE ATT&CK® TTP Content
GTB Technologies DLP TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Gamma

Product MITRE ATT&CK® TTP Content
Gamma TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: GitHub

Product MITRE ATT&CK® TTP Content
GitHub T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models

Vendor: GoAnywhere

Product MITRE ATT&CK® TTP Content
GoAnywhere MFT T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Google

Product MITRE ATT&CK® TTP Content
GCP CloudAudit T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Google Cloud Platform T1037 - Boot or Logon Initialization Scripts
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1204.003 - T1204.003
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 36 Rules
  • 12 Models
Google Workspace T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models

Vendor: HP

Product MITRE ATT&CK® TTP Content
Aruba ClearPass Policy Manager T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Aruba Mobility Master T1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controller T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
HP Virtual Connect Enterprise Manager T1078 - Valid Accounts
  • 1 Rules
HP iLO T1078 - Valid Accounts
  • 1 Rules
HPE Comware T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models

Vendor: HashiCorp

Product MITRE ATT&CK® TTP Content
HashiCorp Vault T1078 - Valid Accounts
  • 1 Rules
Terraform T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: HelpSystems

Product MITRE ATT&CK® TTP Content
Powertech Identity and Access Manager T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 175 Rules
  • 29 Models

Vendor: Hornet

Product MITRE ATT&CK® TTP Content
Hornetsecurity Cloud Email Security Services T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Huawei

Product MITRE ATT&CK® TTP Content
Huawei Enterprise Network Firewall TA0011 - TA0011
  • 4 Rules
Huawei Unified Security Gateway T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 175 Rules
  • 29 Models

Vendor: IBM

Product MITRE ATT&CK® TTP Content
DB2 T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Guardium TA0002 - TA0002
  • 2 Rules
  • 1 Models
HCL Notes TA0011 - TA0011
  • 3 Rules
IBM T1078 - Valid Accounts
  • 1 Rules
IBM Mainframe T1078 - Valid Accounts
  • 1 Rules
IBM Mobile Connect T1078 - Valid Accounts
  • 1 Rules
IBM Resource Access Control Facility T1078 - Valid Accounts
  • 1 Rules
IBM Security Trusteer Apex Advanced Malware Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
IBM Sense TA0002 - TA0002
  • 4 Rules
  • 2 Models
Proventia Network IPS TA0002 - TA0002
  • 4 Rules
  • 2 Models
QRadar SIEM TA0002 - TA0002
  • 4 Rules
  • 2 Models
Sametime T1078 - Valid Accounts
  • 1 Rules
Security Access Manager T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Sterling B2B Integrator T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: IMSS

Product MITRE ATT&CK® TTP Content
IMSS TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: IMSVA

Product MITRE ATT&CK® TTP Content
IMSVA T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: IPTables

Product MITRE ATT&CK® TTP Content
IPTables FW TA0011 - TA0011
  • 4 Rules

Vendor: Illumio

Product MITRE ATT&CK® TTP Content
Illumio Core TA0011 - TA0011
  • 4 Rules

Vendor: Imperva

Product MITRE ATT&CK® TTP Content
Attack Analytics TA0002 - TA0002
  • 4 Rules
  • 2 Models
CounterBreach TA0002 - TA0002
  • 2 Rules
  • 1 Models
Imperva File Activity Monitoring T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models
Imperva Incapsula T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Imperva SecureSphere T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Imprivata

Product MITRE ATT&CK® TTP Content
Imprivata T1078 - Valid Accounts
  • 1 Rules

Vendor: InfoWatch

Product MITRE ATT&CK® TTP Content
InfoWatch DLP T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: Infoblox

Product MITRE ATT&CK® TTP Content
BloxOne DDI T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 48 Rules
  • 12 Models
Infoblox NIOS T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules

Vendor: Inky

Product MITRE ATT&CK® TTP Content
Inky Anti-Phishing TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Ipswitch

Product MITRE ATT&CK® TTP Content
MoveIt Transfer T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: IronNet

Product MITRE ATT&CK® TTP Content
IronDefense TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Ivanti

Product MITRE ATT&CK® TTP Content
Ivanti Pulse Secure T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 26 Rules
  • 7 Models

Vendor: Jumpcloud

Product MITRE ATT&CK® TTP Content
Jumpcloud T1078 - Valid Accounts
  • 1 Rules

Vendor: Juniper Networks

Product MITRE ATT&CK® TTP Content
Juniper Advanced Threat Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Juniper SRX Series T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models
Junos OS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models

Vendor: Kasada

Product MITRE ATT&CK® TTP Content
Kasada T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Kaspersky

Product MITRE ATT&CK® TTP Content
Kaspersky AV TA0002 - TA0002
  • 2 Rules
  • 1 Models
Kaspersky Endpoint Security for Business TA0002 - TA0002
  • 4 Rules
  • 2 Models
Kaspersky Secure Mail Gateway T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Kemp

Product MITRE ATT&CK® TTP Content
Kemp LoadMaster T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: LEAP

Product MITRE ATT&CK® TTP Content
LEAP T1078 - Valid Accounts
  • 1 Rules

Vendor: LOGBinder

Product MITRE ATT&CK® TTP Content
LOGBinder for SharePoint T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: Lacework

Product MITRE ATT&CK® TTP Content
Lacework TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: LanScope

Product MITRE ATT&CK® TTP Content
LanScope Cat T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 204 Rules
  • 37 Models

Vendor: LastPass

Product MITRE ATT&CK® TTP Content
LastPass T1078 - Valid Accounts
  • 1 Rules

Vendor: Lenel

Product MITRE ATT&CK® TTP Content
OnGuard T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: LiquidFiles

Product MITRE ATT&CK® TTP Content
LiquidFiles T1078 - Valid Accounts
  • 1 Rules

Vendor: LogMeIn

Product MITRE ATT&CK® TTP Content
RemotelyAnywhere T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: LogRhythm

Product MITRE ATT&CK® TTP Content
LogRhythm T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models

Vendor: Lookout

Product MITRE ATT&CK® TTP Content
Lookout TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Lumension

Product MITRE ATT&CK® TTP Content
Lumension TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Malwarebytes

Product MITRE ATT&CK® TTP Content
Malwarebytes Endpoint Detection and Response T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 27 Rules
  • 9 Models
Malwarebytes Endpoint Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Malwarebytes Incident Response TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: ManageEngine

Product MITRE ATT&CK® TTP Content
ADAuditPlus T1078 - Valid Accounts
  • 1 Rules
ADManager Plus TA0002 - TA0002
  • 4 Rules
  • 2 Models
ADSSP T1078 - Valid Accounts
  • 1 Rules
PAM360 T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: MasterSAM

Product MITRE ATT&CK® TTP Content
MasterSAM PAM T1078 - Valid Accounts
  • 1 Rules

Vendor: McAfee

Product MITRE ATT&CK® TTP Content
Advanced Threat Defense TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Application Control TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee DAM TA0002 - TA0002
  • 2 Rules
  • 1 Models
McAfee DLP Endpoint T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
McAfee DLP Prevent T1190 - Exploit Public Fasing Application
  • 1 Rules
McAfee Email Protection T1190 - Exploit Public Fasing Application
  • 1 Rules
McAfee Endpoint Security T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1059 - Command and Scripting Interperter
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1190 - Exploit Public Fasing Application
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 40 Rules
  • 12 Models
McAfee Enterprise Security Manager T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
McAfee Network Security Platform T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
McAfee SiteAdvisor TA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Web Gateway T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
McAfee ePolicy Orchestrator TA0002 - TA0002
  • 4 Rules
  • 2 Models
Skyhigh Networks CASB T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Menlo Security

Product MITRE ATT&CK® TTP Content
Menlo Security T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Microsoft

Product MITRE ATT&CK® TTP Content
Azure AD Activity Logs T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 4 Rules
Azure AD Identity Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Azure AD Sign-In Logs T1078 - Valid Accounts
  • 1 Rules
Azure ATP T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
  • 10 Rules
  • 2 Models
Azure Container Registry T1078 - Valid Accounts
  • 1 Rules
Azure Firewall TA0011 - TA0011
  • 4 Rules
Azure Key Vault T1078 - Valid Accounts
  • 1 Rules
Azure MFA T1078 - Valid Accounts
  • 1 Rules
Azure Monitor T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1204.003 - T1204.003
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 50 Rules
  • 16 Models
Azure Monitor - VM Insights T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Event Viewer - ADFS T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Event Viewer - Application T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - Applocker TA0002 - TA0002
  • 4 Rules
  • 2 Models
Event Viewer - DNSClient T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules
Event Viewer - DNSServer T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules
Event Viewer - NPS T1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLM T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 2 Rules
Event Viewer - OpenSSH T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - PowerShell T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Event Viewer - Security T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 219 Rules
  • 51 Models
Event Viewer - System T1036 - Masquerading
T1053 - Scheduled Task/Job
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 29 Rules
  • 15 Models
Event Viewer - TaskScheduler T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
TA0002 - TA0002
  • 13 Rules
  • 9 Models
Event Viewer - TerminalServices-Gateway T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - TerminalServices-RemoteConnectionManager T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Event Viewer - WinNat T1078 - Valid Accounts
  • 1 Rules
MSSQL T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1078 - Valid Accounts
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 27 Rules
  • 7 Models
Microsoft 365 T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 175 Rules
  • 29 Models
Microsoft Advanced Threat Analytics TA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft CAS T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Microsoft DNS Log T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules
Microsoft Defender for Cloud T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models
Microsoft Defender for Endpoint T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 227 Rules
  • 47 Models
Microsoft Defender for Office 365 TA0002 - TA0002
  • 4 Rules
  • 2 Models
Microsoft Exchange T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Microsoft IIS T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Microsoft RRAS T1078 - Valid Accounts
  • 1 Rules
Microsoft Sentinel T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
Microsoft WMI Log T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Microsoft Web Application Proxy T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Network Security Group Flow Logs TA0011 - TA0011
  • 4 Rules
Sysmon T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 189 Rules
  • 33 Models
Web Application Proxy-TLS Gateway T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Windows Defender Application Control T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models

Vendor: Mimecast

Product MITRE ATT&CK® TTP Content
Mimecast Secure Email Gateway T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Mimecast Targeted Threat Protection - URL T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: MobileIron

Product MITRE ATT&CK® TTP Content
MobileIron TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Morphisec

Product MITRE ATT&CK® TTP Content
Morphisec TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Mvision

Product MITRE ATT&CK® TTP Content
Mvision TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models

Vendor: NCP

Product MITRE ATT&CK® TTP Content
NCP T1078 - Valid Accounts
  • 1 Rules

Vendor: NNT

Product MITRE ATT&CK® TTP Content
NNT ChangeTracker T1078 - Valid Accounts
  • 1 Rules

Vendor: Nasuni

Product MITRE ATT&CK® TTP Content
Nasuni T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: NetApp

Product MITRE ATT&CK® TTP Content
NetApp T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: NetDocs

Product MITRE ATT&CK® TTP Content
NetDocs T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: NetIQ

Product MITRE ATT&CK® TTP Content
Micro Focus NetIQ Identity Manager T1078 - Valid Accounts
  • 1 Rules

Vendor: NetMotion Wireless

Product MITRE ATT&CK® TTP Content
NetMotion Wireless T1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

Product MITRE ATT&CK® TTP Content
Netskope IoT Security TA0002 - TA0002
  • 4 Rules
  • 2 Models
Netskope Security Cloud T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 42 Rules
  • 12 Models
Netskope Webtx T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 28 Rules
  • 7 Models

Vendor: Netwrix

Product MITRE ATT&CK® TTP Content
Netwrix Auditor T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models
Netwrix Threat Prevention T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 1 Rules

Vendor: NextDLP

Product MITRE ATT&CK® TTP Content
Reveal T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 37 Rules
  • 12 Models

Vendor: Nexthink

Product MITRE ATT&CK® TTP Content
Nexthink Infinity TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nightfall

Product MITRE ATT&CK® TTP Content
Nightfall AI TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nortel Contivity

Product MITRE ATT&CK® TTP Content
Nortel Contivity VPN T1078 - Valid Accounts
  • 1 Rules

Vendor: Novell

Product MITRE ATT&CK® TTP Content
eDirectory TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nozomi Networks

Product MITRE ATT&CK® TTP Content
Nozomi Networks Guardian TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nutanix

Product MITRE ATT&CK® TTP Content
Nutanix Unified Storage T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: OSSEC

Product MITRE ATT&CK® TTP Content
OSSEC TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Okta

Product MITRE ATT&CK® TTP Content
Okta Adaptive MFA T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Onapsis

Product MITRE ATT&CK® TTP Content
Onapsis T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: OneLogin

Product MITRE ATT&CK® TTP Content
OneLogin T1078 - Valid Accounts
  • 1 Rules

Vendor: OneSpan

Product MITRE ATT&CK® TTP Content
OneSpan Sign T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: OneWelcome

Product MITRE ATT&CK® TTP Content
OneWelcome Cloud Identity Platform T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Open VPN

Product MITRE ATT&CK® TTP Content
Open VPN T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: OpenDJ

Product MITRE ATT&CK® TTP Content
OpenDJ T1078 - Valid Accounts
  • 1 Rules

Vendor: OpenLDAP

Product MITRE ATT&CK® TTP Content
OpenLDAP T1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

Product MITRE ATT&CK® TTP Content
Oracle Access Management T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models
Oracle Public Cloud T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
Solaris T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models

Vendor: Ordr

Product MITRE ATT&CK® TTP Content
Ordr SCE TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Osirium

Product MITRE ATT&CK® TTP Content
Osirium T1078 - Valid Accounts
  • 1 Rules

Vendor: Palo Alto Networks

Product MITRE ATT&CK® TTP Content
Cortex XDR T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
GlobalProtect T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
TA0011 - TA0011
  • 10 Rules
  • 2 Models
Palo Alto Aperture T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models
Palo Alto NGFW T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 35 Rules
  • 9 Models
Palo Alto WildFire TA0002 - TA0002
  • 4 Rules
  • 2 Models
Prisma Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models
Prisma Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
  • 32 Rules
  • 9 Models
Traps Endpoint Security Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Password Manager Pro

Product MITRE ATT&CK® TTP Content
Password Manager Pro T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Phantom

Product MITRE ATT&CK® TTP Content
Phantom T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Ping Identity

Product MITRE ATT&CK® TTP Content
Ping Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Ping Identity T1078 - Valid Accounts
  • 1 Rules
PingOne T1078 - Valid Accounts
  • 1 Rules

Vendor: Postfix

Product MITRE ATT&CK® TTP Content
Postfix T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: PowerDNS

Product MITRE ATT&CK® TTP Content
PowerDNS Recursor T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules

Vendor: PowerSentry

Product MITRE ATT&CK® TTP Content
PowerSentry T1078 - Valid Accounts
  • 1 Rules

Vendor: Progress

Product MITRE ATT&CK® TTP Content
Progress Database T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Proofpoint

Product MITRE ATT&CK® TTP Content
ObserveIT T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 168 Rules
  • 26 Models
Proofpoint CASB TA0002 - TA0002
  • 4 Rules
  • 2 Models
Proofpoint Email Protection T1190 - Exploit Public Fasing Application
  • 1 Rules
Proofpoint Enterprise Protection TA0002 - TA0002
  • 4 Rules
  • 2 Models
Targeted Attack Platform T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Qualys

Product MITRE ATT&CK® TTP Content
Qualys AssetView TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Quest Software

Product MITRE ATT&CK® TTP Content
Quest Change Auditor for Active Directory T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 15 Rules
  • 5 Models

Vendor: RSA

Product MITRE ATT&CK® TTP Content
RSA Authentication Manager T1078 - Valid Accounts
  • 1 Rules
RSA DLP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
RSA ECAT TA0002 - TA0002
  • 4 Rules
  • 2 Models
RSA NetWitness Platform T1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules
SecurID T1078 - Valid Accounts
  • 1 Rules

Vendor: RUID

Product MITRE ATT&CK® TTP Content
RUID T1078 - Valid Accounts
  • 1 Rules

Vendor: RangerAudit

Product MITRE ATT&CK® TTP Content
RangerAudit T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Rapid7

Product MITRE ATT&CK® TTP Content
Rapid7 InsightVM TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Red Canary

Product MITRE ATT&CK® TTP Content
Red Canary Managed Detection and Response TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: RedShield

Product MITRE ATT&CK® TTP Content
RedShield WAF TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Rubrik

Product MITRE ATT&CK® TTP Content
Rubrik Cloud Data Management T1078 - Valid Accounts
  • 1 Rules

Vendor: SAP

Product MITRE ATT&CK® TTP Content
SAP T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 14 Rules
  • 5 Models

Vendor: SIGSCI

Product MITRE ATT&CK® TTP Content
SIGSCI T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: SafeSend

Product MITRE ATT&CK® TTP Content
SafeSend T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Safend

Product MITRE ATT&CK® TTP Content
Data Protection Suite (DPS) TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Sailpoint

Product MITRE ATT&CK® TTP Content
IdentityNow T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models
SecurityIQ T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: Salesforce

Product MITRE ATT&CK® TTP Content
Salesforce T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Sangfor

Product MITRE ATT&CK® TTP Content
Sangfor NGAF T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: Secomea

Product MITRE ATT&CK® TTP Content
Secomea T1078 - Valid Accounts
  • 1 Rules

Vendor: SecurEnvoy

Product MITRE ATT&CK® TTP Content
SecurEnvoy Multi-Factor Authentication T1078 - Valid Accounts
  • 1 Rules

Vendor: Secure Computing

Product MITRE ATT&CK® TTP Content
Secure Computing SafeWord T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

Product MITRE ATT&CK® TTP Content
SecureAuth IDP T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
SecureAuth Login T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureLink

Product MITRE ATT&CK® TTP Content
SecureLink T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureNet

Product MITRE ATT&CK® TTP Content
SecureNet T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureWorks

Product MITRE ATT&CK® TTP Content
Managed iSensor IPS TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Semperis

Product MITRE ATT&CK® TTP Content
Semperis DSP T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: SentinelOne

Product MITRE ATT&CK® TTP Content
Singularity Platform T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 222 Rules
  • 48 Models
Vigilance T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: ServiceNow

Product MITRE ATT&CK® TTP Content
ServiceNow T1078 - Valid Accounts
  • 1 Rules

Vendor: Shibboleth

Product MITRE ATT&CK® TTP Content
Shibboleth T1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

Product MITRE ATT&CK® TTP Content
Silverfort Authentication Platform T1078 - Valid Accounts
  • 1 Rules

Vendor: SiteMinder

Product MITRE ATT&CK® TTP Content
Symantec SiteMinder T1078 - Valid Accounts
  • 1 Rules

Vendor: SkySea

Product MITRE ATT&CK® TTP Content
SkySea ClientView T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 200 Rules
  • 36 Models

Vendor: Skyformation

Product MITRE ATT&CK® TTP Content
Skyformation T1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

Product MITRE ATT&CK® TTP Content
Skyhigh Security Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models

Vendor: Snort

Product MITRE ATT&CK® TTP Content
Snort TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Sophos

Product MITRE ATT&CK® TTP Content
Sophos Endpoint Protection T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 29 Rules
  • 9 Models
Sophos UTM T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models
Sophos XG Firewall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models

Vendor: Splunk

Product MITRE ATT&CK® TTP Content
Splunk ES TA0011 - TA0011
  • 3 Rules
Splunk Stream T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 5 Rules

Vendor: Squid

Product MITRE ATT&CK® TTP Content
Squid T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: StealthBits

Product MITRE ATT&CK® TTP Content
StealthIntercept T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: SunOne

Product MITRE ATT&CK® TTP Content
SunOne T1078 - Valid Accounts
  • 1 Rules

Vendor: Suricata

Product MITRE ATT&CK® TTP Content
Suricata TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Swift

Product MITRE ATT&CK® TTP Content
Swift T1078 - Valid Accounts
  • 1 Rules

Vendor: Swivel

Product MITRE ATT&CK® TTP Content
Swivel T1078 - Valid Accounts
  • 1 Rules

Vendor: Symantec

Product MITRE ATT&CK® TTP Content
Symantec Advanced Threat Protection T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 184 Rules
  • 33 Models
Symantec CloudSOC T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Content Analysis System TA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec Critical System Protection T1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec DLP T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Email Security T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Endpoint Protection T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
TA0011 - TA0011
  • 39 Rules
  • 11 Models
Symantec Fireglass T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Symantec Managed Security Services TA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec VIP T1078 - Valid Accounts
  • 1 Rules
Symantec Web Security Service T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 35 Rules
  • 9 Models

Vendor: Synology NAS

Product MITRE ATT&CK® TTP Content
Synology NAS T1569 - System Services
T1569.002 - T1569.002
  • 1 Rules

Vendor: Sysdig

Product MITRE ATT&CK® TTP Content
Sysdig Monitor T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 25 Rules
  • 7 Models

Vendor: Tanium

Product MITRE ATT&CK® TTP Content
Tanium Cloud Platform T1078 - Valid Accounts
  • 1 Rules
Tanium Core Platform T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 168 Rules
  • 26 Models
Tanium Integrity Monitor T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 175 Rules
  • 28 Models
Tanium Threat Response TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tenable

Product MITRE ATT&CK® TTP Content
Tenable Identity Exposure TA0002 - TA0002
  • 4 Rules
  • 2 Models
Tenable Vulnerability Management TA0002 - TA0002
  • 4 Rules
  • 2 Models
Tenable Web App Scanning TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tessian

Product MITRE ATT&CK® TTP Content
Tessian Cloud Email Security T1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Thales Group

Product MITRE ATT&CK® TTP Content
Gemalto MFA T1078 - Valid Accounts
  • 1 Rules

Vendor: ThreatBlockr

Product MITRE ATT&CK® TTP Content
ThreatBlockr T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 6 Rules

Vendor: TrapX

Product MITRE ATT&CK® TTP Content
TrapX TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Trend Micro

Product MITRE ATT&CK® TTP Content
Apex One TA0002 - TA0002
  • 4 Rules
  • 2 Models
Deep Discovery Inspector T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Deep Security T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 201 Rules
  • 45 Models
OfficeScan T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 28 Rules
  • 9 Models
TippingPoint NGIPS TA0002 - TA0002
  • 4 Rules
  • 2 Models
Trend Micro Cloud App Security TA0002 - TA0002
  • 4 Rules
  • 2 Models
Trend Micro Email Security T1190 - Exploit Public Fasing Application
  • 1 Rules
Trend Micro ScanMail TA0002 - TA0002
  • 4 Rules
  • 2 Models
Vision One T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Tripwire Enterprise

Product MITRE ATT&CK® TTP Content
Tripwire Enterprise TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Tufin

Product MITRE ATT&CK® TTP Content
Tufin SecureTrack T1078 - Valid Accounts
  • 1 Rules

Vendor: Tyco

Product MITRE ATT&CK® TTP Content
CCURE Building Management System T1078 - Valid Accounts
  • 1 Rules

Vendor: Unix

Product MITRE ATT&CK® TTP Content
Auditbeat T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 171 Rules
  • 26 Models
BIND DNS T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules
Unix T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 179 Rules
  • 29 Models
Unix Auditd T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 176 Rules
  • 29 Models
Unix Named T1071 - Application Layer Protocol
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
  • 3 Rules
Unix Privilege Management TA0002 - TA0002
  • 4 Rules
  • 2 Models
Unix Sendmail T1190 - Exploit Public Fasing Application
  • 1 Rules
rsyslog TA0011 - TA0011
  • 2 Rules

Vendor: VBCorp

Product MITRE ATT&CK® TTP Content
VBCorp TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: VMS Software

Product MITRE ATT&CK® TTP Content
OpenVMS T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: VMware

Product MITRE ATT&CK® TTP Content
Carbon Black App Control T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 175 Rules
  • 31 Models
Carbon Black CES T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 181 Rules
  • 31 Models
Carbon Black EDR T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 186 Rules
  • 34 Models
Lastline TA0002 - TA0002
  • 4 Rules
  • 2 Models
NSX Distributed Firewall TA0011 - TA0011
  • 4 Rules
VMware AirWatch T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
VMware ESXi T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
VMware Horizon T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
VMware Identity Manager TA0002 - TA0002
  • 4 Rules
  • 2 Models
VMware NSX TA0011 - TA0011
  • 4 Rules
VMware View T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
vCenter T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 16 Rules
  • 9 Models

Vendor: Varonis

Product MITRE ATT&CK® TTP Content
Varonis Data Security Platform T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models

Vendor: Vectra

Product MITRE ATT&CK® TTP Content
Vectra Cognito Detect TA0002 - TA0002
  • 4 Rules
  • 2 Models
Vectra Cognito Stream T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 38 Rules
  • 11 Models

Vendor: Verizon

Product MITRE ATT&CK® TTP Content
Verizon NDR TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Vicarius

Product MITRE ATT&CK® TTP Content
Vicarius vRx TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Virtru

Product MITRE ATT&CK® TTP Content
Virtru TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Vormetric

Product MITRE ATT&CK® TTP Content
Vormetric TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Watchguard

Product MITRE ATT&CK® TTP Content
Watchguard T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 29 Rules
  • 7 Models

Vendor: Wazuh

Product MITRE ATT&CK® TTP Content
Wazuh T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Weblogin

Product MITRE ATT&CK® TTP Content
Weblogin T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models

Vendor: Wiz

Product MITRE ATT&CK® TTP Content
Wiz T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Workday

Product MITRE ATT&CK® TTP Content
Workday T1078 - Valid Accounts
  • 1 Rules

Vendor: Xceedium

Product MITRE ATT&CK® TTP Content
Xceedium T1078 - Valid Accounts
  • 1 Rules

Vendor: Xiting

Product MITRE ATT&CK® TTP Content
XAMS T1078 - Valid Accounts
  • 1 Rules

Vendor: Zeek

Product MITRE ATT&CK® TTP Content
Zeek T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 51 Rules
  • 12 Models

Vendor: Zimperium

Product MITRE ATT&CK® TTP Content
Zimperium MTD TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Zscaler

Product MITRE ATT&CK® TTP Content
FW Zscaler Cloud TA0011 - TA0011
  • 4 Rules
Zscaler Internet Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 39 Rules
  • 9 Models
Zscaler Private Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 30 Rules
  • 7 Models

Vendor:

Vendor: iBoss

Product MITRE ATT&CK® TTP Content
Iboss Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: iManage

Product MITRE ATT&CK® TTP Content
iManage TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: oVirt

Product MITRE ATT&CK® TTP Content
oVirt T1078 - Valid Accounts
  • 1 Rules

Vendor: pfSense

Product MITRE ATT&CK® TTP Content
pfSense TA0011 - TA0011
  • 4 Rules

Vendor: xsuite

Product MITRE ATT&CK® TTP Content
xsuite T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models