Skip to content

Latest commit

 

History

History
875 lines (873 loc) · 287 KB

uc_ransomware.md

File metadata and controls

875 lines (873 loc) · 287 KB
Raw

Use Case: Ransomware

Vendor: 1password

Product MITRE ATT&CK® TTP Content
1password T1078 - Valid Accounts
  • 1 Rules

Vendor: APC

Product MITRE ATT&CK® TTP Content
APC T1078 - Valid Accounts
  • 1 Rules

Vendor: AVI Networks

Product MITRE ATT&CK® TTP Content
AVI Networks Software Load Balancer T1078 - Valid Accounts
  • 1 Rules

Vendor: Absolute

Product MITRE ATT&CK® TTP Content
Absolute DDS T1078 - Valid Accounts
  • 1 Rules

Vendor: Accellion

Product MITRE ATT&CK® TTP Content
Kiteworks T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Airlock

Product MITRE ATT&CK® TTP Content
Airlock Security Access Hub T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Akamai

Product MITRE ATT&CK® TTP Content
Akamai Guardicore T1078 - Valid Accounts
  • 1 Rules
Cloud Akamai T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Amazon

Product MITRE ATT&CK® TTP Content
AWS Bastion T1078 - Valid Accounts
  • 1 Rules
AWS CloudTrail T1078 - Valid Accounts
  • 2 Rules
AWS CloudWatch T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
AWS Elastic Load Balancer T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
AWS WAF T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Apache

Product MITRE ATT&CK® TTP Content
Apache T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Apache Guacamole T1078 - Valid Accounts
  • 2 Rules

Vendor: AssetView

Product MITRE ATT&CK® TTP Content
AssetView T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Atlassian

Product MITRE ATT&CK® TTP Content
Atlassian T1078 - Valid Accounts
  • 1 Rules
Atlassian BitBucket T1078 - Valid Accounts
  • 1 Rules

Vendor: Auth0

Product MITRE ATT&CK® TTP Content
Auth0 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Avaya

Product MITRE ATT&CK® TTP Content
Avaya Ethernet Routing Switch T1078 - Valid Accounts
  • 1 Rules
Avaya VPN T1078 - Valid Accounts
  • 1 Rules

Vendor: Axway

Product MITRE ATT&CK® TTP Content
Axway Gateway T1078 - Valid Accounts
  • 1 Rules

Vendor: Banyan Security

Product MITRE ATT&CK® TTP Content
Banyan Security T1078 - Valid Accounts
  • 1 Rules

Vendor: Barracuda

Product MITRE ATT&CK® TTP Content
Barracuda Cloudgen Firewall T1078 - Valid Accounts
  • 1 Rules

Vendor: BeyondTrust

Product MITRE ATT&CK® TTP Content
BeyondInsight T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
BeyondTrust T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
BeyondTrust Privileged Identity T1078 - Valid Accounts
  • 1 Rules
BeyondTrust Remote Support T1078 - Valid Accounts
  • 1 Rules
BeyondTrust Secure Remote Access T1078 - Valid Accounts
  • 2 Rules

Vendor: Bitdefender

Product MITRE ATT&CK® TTP Content
GravityZone T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Bitglass

Product MITRE ATT&CK® TTP Content
Bitglass CASB T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: BlackBerry

Product MITRE ATT&CK® TTP Content
BlackBerry Protect T1078 - Valid Accounts
  • 1 Rules

Vendor: Box

Product MITRE ATT&CK® TTP Content
Box Cloud Content Management T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Bromium

Product MITRE ATT&CK® TTP Content
Bromium Secure Platform T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: CA Technologies

Product MITRE ATT&CK® TTP Content
CA Privileged Access Manager Server Control T1078 - Valid Accounts
  • 2 Rules

Vendor: CDS

Product MITRE ATT&CK® TTP Content
CDS T1078 - Valid Accounts
  • 1 Rules

Vendor: CatoNetworks

Product MITRE ATT&CK® TTP Content
Cato Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Check Point

Product MITRE ATT&CK® TTP Content
Check Point Identity Awareness T1078 - Valid Accounts
  • 1 Rules
Check Point NGFW T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Check Point Security Gateway T1078 - Valid Accounts
  • 1 Rules
Check Point vSEC Virtual Edition T1078 - Valid Accounts
  • 1 Rules

Vendor: Checkmarx

Product MITRE ATT&CK® TTP Content
Checkmarx T1078 - Valid Accounts
  • 2 Rules

Vendor: Cisco

Product MITRE ATT&CK® TTP Content
AnyConnect T1078 - Valid Accounts
  • 1 Rules
Cisco ACI T1078 - Valid Accounts
  • 1 Rules
Cisco ACS T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Cisco ADC T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco Adaptive Security Appliance T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Cisco Cloud Web Security T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco Firepower T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Cisco IOS T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Cisco ISE T1078 - Valid Accounts
  • 1 Rules
Cisco Meraki MX appliance T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Cisco Secure Network Analytics T1486 - Data Encrypted for Impact
  • 1 Rules
Cisco Secure Web Appliance T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco Umbrella T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco Unified Communications Manager T1078 - Valid Accounts
  • 1 Rules
Duo Access T1078 - Valid Accounts
  • 2 Rules
IronPort Web Security T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Citrix

Product MITRE ATT&CK® TTP Content
Citrix Endpoint Management T1078 - Valid Accounts
  • 1 Rules
Citrix Gateway T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Citrix ShareFile T1078 - Valid Accounts
  • 2 Rules
Citrix Virtual Apps T1078 - Valid Accounts
  • 1 Rules
Citrix Virtual Desktop T1078 - Valid Accounts
  • 1 Rules

Vendor: Claroty

Product MITRE ATT&CK® TTP Content
CTD T1078 - Valid Accounts
  • 1 Rules

Vendor: Clearsense

Product MITRE ATT&CK® TTP Content
Clearsense T1078 - Valid Accounts
  • 2 Rules

Vendor: Click Studios

Product MITRE ATT&CK® TTP Content
Passwordstate T1078 - Valid Accounts
  • 1 Rules

Vendor: Cloudflare

Product MITRE ATT&CK® TTP Content
Cloudflare Insights T1078 - Valid Accounts
  • 1 Rules
Cloudflare WAF T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Code42

Product MITRE ATT&CK® TTP Content
Code42 Incydr T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Cognitas CrossLink

Product MITRE ATT&CK® TTP Content
Cognitas CrossLink T1078 - Valid Accounts
  • 1 Rules

Vendor: Cohesity

Product MITRE ATT&CK® TTP Content
Cohesity DataPlatform T1078 - Valid Accounts
  • 1 Rules

Vendor: CrowdStrike

Product MITRE ATT&CK® TTP Content
Falcon T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Identity Threat Detection & Response T1078 - Valid Accounts
  • 1 Rules

Vendor: CyberArk

Product MITRE ATT&CK® TTP Content
CyberArk Privilege Access Manager T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Darktrace

Product MITRE ATT&CK® TTP Content
Darktrace T1078 - Valid Accounts
  • 2 Rules

Vendor: Delinea

Product MITRE ATT&CK® TTP Content
Centrify Audit and Monitoring Service T1486 - Data Encrypted for Impact
  • 1 Rules
Centrify Authentication Service T1078 - Valid Accounts
  • 1 Rules
Centrify Infrastructure Services T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Centrify Zero Trust Privilege Services T1078 - Valid Accounts
  • 2 Rules
Thycotic Software Secret Server T1078 - Valid Accounts
  • 2 Rules

Vendor: Dell

Product MITRE ATT&CK® TTP Content
EMC Isilon T1486 - Data Encrypted for Impact
  • 1 Rules
Sonicwall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Digital Arts

Product MITRE ATT&CK® TTP Content
Digital Arts i-FILTER for Business T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Digital Guardian

Product MITRE ATT&CK® TTP Content
Digital Guardian Endpoint Protection T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Dropbox

Product MITRE ATT&CK® TTP Content
Dropbox T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Dtex Systems

Product MITRE ATT&CK® TTP Content
DTEX InTERCEPT T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: EMP

Product MITRE ATT&CK® TTP Content
EMP T1078 - Valid Accounts
  • 1 Rules

Vendor: ESET

Product MITRE ATT&CK® TTP Content
ESET Endpoint Security T1078 - Valid Accounts
  • 2 Rules

Vendor: ESector

Product MITRE ATT&CK® TTP Content
ESector DEFESA Logger T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: EdgeWave

Product MITRE ATT&CK® TTP Content
EdgeWave iPrism T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Egnyte

Product MITRE ATT&CK® TTP Content
Egnyte T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Entrust

Product MITRE ATT&CK® TTP Content
Entrust Identity Enterprise T1078 - Valid Accounts
  • 1 Rules

Vendor: Epic

Product MITRE ATT&CK® TTP Content
Epic SIEM T1078 - Valid Accounts
  • 2 Rules

Vendor: Extreme Networks

Product MITRE ATT&CK® TTP Content
EXOS T1078 - Valid Accounts
  • 1 Rules
Zebra WLAN Management T1078 - Valid Accounts
  • 1 Rules

Vendor: F5

Product MITRE ATT&CK® TTP Content
F5 Access Policy Manager T1078 - Valid Accounts
  • 1 Rules
F5 Advanced Web Application Firewall T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
F5 Application Security Manager T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
F5 BIG-IP T1078 - Valid Accounts
  • 1 Rules
F5 WebSafe T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: FTP

Product MITRE ATT&CK® TTP Content
FTP T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Fast Enterprises

Product MITRE ATT&CK® TTP Content
Fast Enterprises GenTax T1078 - Valid Accounts
  • 1 Rules

Vendor: FileAuditor

Product MITRE ATT&CK® TTP Content
FileAuditor T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: FireEye

Product MITRE ATT&CK® TTP Content
FireEye CMS T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
FireEye Endpoint Security (HX) T1486 - Data Encrypted for Impact
  • 1 Rules
FireEye Network Security (NX) T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: FireMon

Product MITRE ATT&CK® TTP Content
FireMon T1078 - Valid Accounts
  • 1 Rules

Vendor: Forcepoint

Product MITRE ATT&CK® TTP Content
Forcepoint CASB T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Websense Security Gateway T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Forescout

Product MITRE ATT&CK® TTP Content
EyeInspect T1078 - Valid Accounts
  • 1 Rules

Vendor: Fortinet

Product MITRE ATT&CK® TTP Content
FortiAuthenticator T1078 - Valid Accounts
  • 1 Rules
FortiGate T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
FortiSIEM T1078 - Valid Accounts
  • 1 Rules
Fortinet Enterprise Firewall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Fortinet UTM T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Fortinet VPN T1078 - Valid Accounts
  • 1 Rules
Fortiweb Web Application Firewall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: FreeBSD

Product MITRE ATT&CK® TTP Content
FreeBSD T1078 - Valid Accounts
  • 1 Rules

Vendor: GitHub

Product MITRE ATT&CK® TTP Content
GitHub T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: GoAnywhere

Product MITRE ATT&CK® TTP Content
GoAnywhere MFT T1078 - Valid Accounts
  • 1 Rules

Vendor: Google

Product MITRE ATT&CK® TTP Content
GCP CloudAudit T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Google Cloud Platform T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Google Workspace T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: HP

Product MITRE ATT&CK® TTP Content
Aruba ClearPass Policy Manager T1078 - Valid Accounts
  • 2 Rules
Aruba Mobility Master T1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controller T1078 - Valid Accounts
  • 1 Rules
HP Virtual Connect Enterprise Manager T1078 - Valid Accounts
  • 1 Rules
HP iLO T1078 - Valid Accounts
  • 1 Rules
HPE Comware T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: HashiCorp

Product MITRE ATT&CK® TTP Content
HashiCorp Vault T1078 - Valid Accounts
  • 1 Rules
Terraform T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: HelpSystems

Product MITRE ATT&CK® TTP Content
Powertech Identity and Access Manager T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Huawei

Product MITRE ATT&CK® TTP Content
Huawei Unified Security Gateway T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: IBM

Product MITRE ATT&CK® TTP Content
DB2 T1078 - Valid Accounts
  • 1 Rules
IBM T1078 - Valid Accounts
  • 1 Rules
IBM Mainframe T1078 - Valid Accounts
  • 2 Rules
IBM Mobile Connect T1078 - Valid Accounts
  • 1 Rules
IBM Resource Access Control Facility T1078 - Valid Accounts
  • 2 Rules
Sametime T1078 - Valid Accounts
  • 2 Rules
Security Access Manager T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sterling B2B Integrator T1078 - Valid Accounts
  • 1 Rules

Vendor: Illumio

Product MITRE ATT&CK® TTP Content
Illumio Core T1078 - Valid Accounts
  • 1 Rules

Vendor: Imperva

Product MITRE ATT&CK® TTP Content
Imperva File Activity Monitoring T1486 - Data Encrypted for Impact
  • 1 Rules
Imperva Incapsula T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Imperva SecureSphere T1078 - Valid Accounts
  • 2 Rules

Vendor: Imprivata

Product MITRE ATT&CK® TTP Content
Imprivata T1078 - Valid Accounts
  • 2 Rules

Vendor: InfoWatch

Product MITRE ATT&CK® TTP Content
InfoWatch DLP T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Infoblox

Product MITRE ATT&CK® TTP Content
BloxOne DDI T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Ipswitch

Product MITRE ATT&CK® TTP Content
MoveIt Transfer T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Ivanti

Product MITRE ATT&CK® TTP Content
Ivanti Pulse Secure T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Jumpcloud

Product MITRE ATT&CK® TTP Content
Jumpcloud T1078 - Valid Accounts
  • 2 Rules

Vendor: Juniper Networks

Product MITRE ATT&CK® TTP Content
Juniper SRX Series T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Junos OS T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Kasada

Product MITRE ATT&CK® TTP Content
Kasada T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Kemp

Product MITRE ATT&CK® TTP Content
Kemp LoadMaster T1078 - Valid Accounts
  • 1 Rules

Vendor: LEAP

Product MITRE ATT&CK® TTP Content
LEAP T1078 - Valid Accounts
  • 1 Rules

Vendor: LOGBinder

Product MITRE ATT&CK® TTP Content
LOGBinder for SharePoint T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: LanScope

Product MITRE ATT&CK® TTP Content
LanScope Cat T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: LastPass

Product MITRE ATT&CK® TTP Content
LastPass T1078 - Valid Accounts
  • 2 Rules

Vendor: Lenel

Product MITRE ATT&CK® TTP Content
OnGuard T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: LiquidFiles

Product MITRE ATT&CK® TTP Content
LiquidFiles T1078 - Valid Accounts
  • 2 Rules

Vendor: LogMeIn

Product MITRE ATT&CK® TTP Content
RemotelyAnywhere T1078 - Valid Accounts
  • 1 Rules

Vendor: LogRhythm

Product MITRE ATT&CK® TTP Content
LogRhythm T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Malwarebytes

Product MITRE ATT&CK® TTP Content
Malwarebytes Endpoint Detection and Response T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: ManageEngine

Product MITRE ATT&CK® TTP Content
ADAuditPlus T1078 - Valid Accounts
  • 1 Rules
ADSSP T1078 - Valid Accounts
  • 2 Rules
PAM360 T1078 - Valid Accounts
  • 1 Rules

Vendor: MasterSAM

Product MITRE ATT&CK® TTP Content
MasterSAM PAM T1078 - Valid Accounts
  • 1 Rules

Vendor: McAfee

Product MITRE ATT&CK® TTP Content
McAfee Endpoint Security T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
McAfee Enterprise Security Manager T1078 - Valid Accounts
  • 1 Rules
McAfee Network Security Platform T1078 - Valid Accounts
  • 2 Rules
McAfee Web Gateway T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Skyhigh Networks CASB T1078 - Valid Accounts
  • 2 Rules

Vendor: Menlo Security

Product MITRE ATT&CK® TTP Content
Menlo Security T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Microsoft

Product MITRE ATT&CK® TTP Content
Azure AD Activity Logs T1078 - Valid Accounts
  • 2 Rules
Azure AD Sign-In Logs T1078 - Valid Accounts
  • 2 Rules
Azure ATP T1078 - Valid Accounts
  • 2 Rules
Azure Container Registry T1078 - Valid Accounts
  • 2 Rules
Azure Key Vault T1078 - Valid Accounts
  • 1 Rules
Azure MFA T1078 - Valid Accounts
  • 2 Rules
Azure Monitor T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Azure Monitor - VM Insights T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Event Viewer - ADFS T1078 - Valid Accounts
  • 1 Rules
Event Viewer - Application T1078 - Valid Accounts
  • 1 Rules
Event Viewer - NPS T1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLM T1078 - Valid Accounts
  • 1 Rules
Event Viewer - OpenSSH T1078 - Valid Accounts
  • 1 Rules
Event Viewer - PowerShell T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Event Viewer - Security T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Event Viewer - TerminalServices-Gateway T1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-RemoteConnectionManager T1078 - Valid Accounts
  • 1 Rules
Event Viewer - WinNat T1078 - Valid Accounts
  • 1 Rules
M365 Audit Logs T1078 - Valid Accounts
  • 1 Rules
MSSQL T1078 - Valid Accounts
  • 1 Rules
Microsoft 365 T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Microsoft CAS T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Microsoft Defender for Endpoint T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Microsoft Exchange T1078 - Valid Accounts
  • 2 Rules
Microsoft IIS T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Microsoft RRAS T1078 - Valid Accounts
  • 1 Rules
Microsoft Sentinel T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Microsoft WMI Log T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Microsoft Web Application Proxy T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sysmon T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Web Application Proxy-TLS Gateway T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Mimecast

Product MITRE ATT&CK® TTP Content
Mimecast Secure Email Gateway T1078 - Valid Accounts
  • 2 Rules
Mimecast Targeted Threat Protection - URL T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: NCP

Product MITRE ATT&CK® TTP Content
NCP T1078 - Valid Accounts
  • 1 Rules

Vendor: NNT

Product MITRE ATT&CK® TTP Content
NNT ChangeTracker T1078 - Valid Accounts
  • 1 Rules

Vendor: Nasuni

Product MITRE ATT&CK® TTP Content
Nasuni T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: NetApp

Product MITRE ATT&CK® TTP Content
NetApp T1486 - Data Encrypted for Impact
  • 1 Rules
NetApp Ontap T1078 - Valid Accounts
  • 1 Rules

Vendor: NetDocs

Product MITRE ATT&CK® TTP Content
NetDocs T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: NetIQ

Product MITRE ATT&CK® TTP Content
Micro Focus NetIQ Identity Manager T1078 - Valid Accounts
  • 2 Rules

Vendor: NetMotion Wireless

Product MITRE ATT&CK® TTP Content
NetMotion Wireless T1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

Product MITRE ATT&CK® TTP Content
Netskope Security Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules
Netskope Webtx T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Netwrix

Product MITRE ATT&CK® TTP Content
Netwrix Auditor T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: NextDLP

Product MITRE ATT&CK® TTP Content
Reveal T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Nortel Contivity

Product MITRE ATT&CK® TTP Content
Nortel Contivity VPN T1078 - Valid Accounts
  • 1 Rules

Vendor: Nutanix

Product MITRE ATT&CK® TTP Content
Nutanix Unified Storage T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Okta

Product MITRE ATT&CK® TTP Content
Okta Adaptive MFA T1078 - Valid Accounts
  • 2 Rules

Vendor: Onapsis

Product MITRE ATT&CK® TTP Content
Onapsis T1078 - Valid Accounts
  • 2 Rules

Vendor: OneLogin

Product MITRE ATT&CK® TTP Content
OneLogin T1078 - Valid Accounts
  • 2 Rules

Vendor: OneSpan

Product MITRE ATT&CK® TTP Content
OneSpan Sign T1078 - Valid Accounts
  • 1 Rules

Vendor: OneWelcome

Product MITRE ATT&CK® TTP Content
OneWelcome Cloud Identity Platform T1078 - Valid Accounts
  • 1 Rules

Vendor: Open VPN

Product MITRE ATT&CK® TTP Content
Open VPN T1078 - Valid Accounts
  • 1 Rules

Vendor: OpenDJ

Product MITRE ATT&CK® TTP Content
OpenDJ T1078 - Valid Accounts
  • 1 Rules

Vendor: OpenLDAP

Product MITRE ATT&CK® TTP Content
OpenLDAP T1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

Product MITRE ATT&CK® TTP Content
Oracle Access Management T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Oracle Public Cloud T1078 - Valid Accounts
  • 2 Rules
Solaris T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Osirium

Product MITRE ATT&CK® TTP Content
Osirium T1078 - Valid Accounts
  • 1 Rules

Vendor: Palo Alto Networks

Product MITRE ATT&CK® TTP Content
Cortex XDR T1078 - Valid Accounts
  • 1 Rules
GlobalProtect T1078 - Valid Accounts
  • 1 Rules
Palo Alto Aperture T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Palo Alto NGFW T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Prisma Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Prisma Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Password Manager Pro

Product MITRE ATT&CK® TTP Content
Password Manager Pro T1078 - Valid Accounts
  • 1 Rules

Vendor: Ping Identity

Product MITRE ATT&CK® TTP Content
Ping Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Ping Identity T1078 - Valid Accounts
  • 2 Rules
PingOne T1078 - Valid Accounts
  • 2 Rules

Vendor: PowerSentry

Product MITRE ATT&CK® TTP Content
PowerSentry T1078 - Valid Accounts
  • 2 Rules

Vendor: Progress

Product MITRE ATT&CK® TTP Content
Progress Database T1078 - Valid Accounts
  • 1 Rules

Vendor: Proofpoint

Product MITRE ATT&CK® TTP Content
ObserveIT T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Quest Software

Product MITRE ATT&CK® TTP Content
Quest Change Auditor for Active Directory T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: RSA

Product MITRE ATT&CK® TTP Content
RSA Authentication Manager T1078 - Valid Accounts
  • 2 Rules
RSA NetWitness Platform T1078 - Valid Accounts
  • 1 Rules
SecurID T1078 - Valid Accounts
  • 1 Rules

Vendor: RUID

Product MITRE ATT&CK® TTP Content
RUID T1078 - Valid Accounts
  • 1 Rules

Vendor: RangerAudit

Product MITRE ATT&CK® TTP Content
RangerAudit T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Rubrik

Product MITRE ATT&CK® TTP Content
Rubrik Cloud Data Management T1078 - Valid Accounts
  • 1 Rules

Vendor: SAP

Product MITRE ATT&CK® TTP Content
SAP T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: SIGSCI

Product MITRE ATT&CK® TTP Content
SIGSCI T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Sailpoint

Product MITRE ATT&CK® TTP Content
IdentityNow T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
SecurityIQ T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Salesforce

Product MITRE ATT&CK® TTP Content
Salesforce T1078 - Valid Accounts
  • 2 Rules

Vendor: Sangfor

Product MITRE ATT&CK® TTP Content
Sangfor NGAF T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Secomea

Product MITRE ATT&CK® TTP Content
Secomea T1078 - Valid Accounts
  • 1 Rules

Vendor: SecurEnvoy

Product MITRE ATT&CK® TTP Content
SecurEnvoy Multi-Factor Authentication T1078 - Valid Accounts
  • 1 Rules

Vendor: Secure Computing

Product MITRE ATT&CK® TTP Content
Secure Computing SafeWord T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

Product MITRE ATT&CK® TTP Content
SecureAuth IDP T1078 - Valid Accounts
  • 1 Rules
SecureAuth Login T1078 - Valid Accounts
  • 2 Rules

Vendor: SecureLink

Product MITRE ATT&CK® TTP Content
SecureLink T1078 - Valid Accounts
  • 2 Rules

Vendor: SecureNet

Product MITRE ATT&CK® TTP Content
SecureNet T1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

Product MITRE ATT&CK® TTP Content
Semperis DSP T1078 - Valid Accounts
  • 2 Rules

Vendor: SentinelOne

Product MITRE ATT&CK® TTP Content
Singularity Platform T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Vigilance T1078 - Valid Accounts
  • 2 Rules

Vendor: ServiceNow

Product MITRE ATT&CK® TTP Content
ServiceNow T1078 - Valid Accounts
  • 2 Rules

Vendor: Shibboleth

Product MITRE ATT&CK® TTP Content
Shibboleth T1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

Product MITRE ATT&CK® TTP Content
Silverfort Authentication Platform T1078 - Valid Accounts
  • 2 Rules

Vendor: SiteMinder

Product MITRE ATT&CK® TTP Content
Symantec SiteMinder T1078 - Valid Accounts
  • 1 Rules

Vendor: SkySea

Product MITRE ATT&CK® TTP Content
SkySea ClientView T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Skyformation

Product MITRE ATT&CK® TTP Content
Skyformation T1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

Product MITRE ATT&CK® TTP Content
Skyhigh Security Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Sophos

Product MITRE ATT&CK® TTP Content
Sophos Endpoint Protection T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sophos UTM T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sophos XG Firewall T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Squid

Product MITRE ATT&CK® TTP Content
Squid T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: StealthBits

Product MITRE ATT&CK® TTP Content
StealthIntercept T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: SunOne

Product MITRE ATT&CK® TTP Content
SunOne T1078 - Valid Accounts
  • 1 Rules

Vendor: Swift

Product MITRE ATT&CK® TTP Content
Swift T1078 - Valid Accounts
  • 2 Rules

Vendor: Swivel

Product MITRE ATT&CK® TTP Content
Swivel T1078 - Valid Accounts
  • 2 Rules

Vendor: Symantec

Product MITRE ATT&CK® TTP Content
Blue Coat ProxySG T1078 - Valid Accounts
  • 1 Rules
Symantec Advanced Threat Protection T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Symantec CloudSOC T1078 - Valid Accounts
  • 2 Rules
Symantec Critical System Protection T1078 - Valid Accounts
  • 1 Rules
Symantec Endpoint Protection T1486 - Data Encrypted for Impact
  • 1 Rules
Symantec Fireglass T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Symantec VIP T1078 - Valid Accounts
  • 1 Rules
Symantec Web Security Service T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Tanium

Product MITRE ATT&CK® TTP Content
Tanium Cloud Platform T1078 - Valid Accounts
  • 2 Rules
Tanium Core Platform T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Tanium Integrity Monitor T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: Thales Group

Product MITRE ATT&CK® TTP Content
Gemalto MFA T1078 - Valid Accounts
  • 1 Rules

Vendor: Trend Micro

Product MITRE ATT&CK® TTP Content
Deep Discovery Inspector T1078 - Valid Accounts
  • 1 Rules
Deep Security T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
OfficeScan T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Vision One T1078 - Valid Accounts
  • 2 Rules

Vendor: Tufin

Product MITRE ATT&CK® TTP Content
Tufin SecureTrack T1078 - Valid Accounts
  • 1 Rules

Vendor: Tyco

Product MITRE ATT&CK® TTP Content
CCURE Building Management System T1078 - Valid Accounts
  • 1 Rules

Vendor: Unix

Product MITRE ATT&CK® TTP Content
Auditbeat T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Unix T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Unix Auditd T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: VMS Software

Product MITRE ATT&CK® TTP Content
OpenVMS T1078 - Valid Accounts
  • 1 Rules

Vendor: VMware

Product MITRE ATT&CK® TTP Content
Carbon Black App Control T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Carbon Black CES T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Carbon Black EDR T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
VMware AirWatch T1078 - Valid Accounts
  • 1 Rules
VMware ESXi T1078 - Valid Accounts
  • 1 Rules
VMware Horizon T1078 - Valid Accounts
  • 1 Rules
VMware View T1078 - Valid Accounts
  • 2 Rules
vCenter T1078 - Valid Accounts
  • 2 Rules

Vendor: Varonis

Product MITRE ATT&CK® TTP Content
Varonis Data Security Platform T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Vectra

Product MITRE ATT&CK® TTP Content
Vectra Cognito Stream T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Watchguard

Product MITRE ATT&CK® TTP Content
Watchguard T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Wazuh

Product MITRE ATT&CK® TTP Content
Wazuh T1078 - Valid Accounts
  • 1 Rules

Vendor: Weblogin

Product MITRE ATT&CK® TTP Content
Weblogin T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Wiz

Product MITRE ATT&CK® TTP Content
Wiz T1078 - Valid Accounts
  • 2 Rules

Vendor: Workday

Product MITRE ATT&CK® TTP Content
Workday T1078 - Valid Accounts
  • 2 Rules

Vendor: Xceedium

Product MITRE ATT&CK® TTP Content
Xceedium T1078 - Valid Accounts
  • 2 Rules

Vendor: Xiting

Product MITRE ATT&CK® TTP Content
XAMS T1078 - Valid Accounts
  • 2 Rules

Vendor: Zeek

Product MITRE ATT&CK® TTP Content
Zeek T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Zoom

Product MITRE ATT&CK® TTP Content
Zoom T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
  • 1 Rules

Vendor: Zscaler

Product MITRE ATT&CK® TTP Content
Zscaler Internet Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Zscaler Private Access T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor:

Vendor: iBoss

Product MITRE ATT&CK® TTP Content
Iboss Cloud T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: oVirt

Product MITRE ATT&CK® TTP Content
oVirt T1078 - Valid Accounts
  • 2 Rules

Vendor: xsuite

Product MITRE ATT&CK® TTP Content
xsuite T1078 - Valid Accounts
  • 1 Rules