Skip to content

Latest commit

 

History

History
22 lines (20 loc) · 45.2 KB

ds_cisco_adaptive_security_appliance.md

File metadata and controls

22 lines (20 loc) · 45.2 KB
Raw

Vendor: Cisco

Product: Adaptive Security Appliance

Rules Models MITRE ATT&CK® TTPs Event Types Parsers
756 162 142 13 13
Use-Case Event Types/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access authentication-failed
cisco-asa-113015
cisco-2960-auth-failed-1
cisco-2960-auth-failed
cisco-asa-auth-failed

authentication-successful
cisco-2960-auth-successful
cef-cisco-asa-auth-successful
cisco-asa-auth-successful
cisco-asa-authentication-successful

failed-logon
cisco-ssh-login

failed-vpn-login
raw-asa-113005
raw-asa-113005-1
raw-asa-113005-2
cisco-ftd-716039

nac-logon
cisco-fpr-113004
cef-asa-113004-vpn-start
raw-asa-113004-vpn-start

remote-logon
s-asa-605005
cisco-ssh-login

vpn-login
cef-asa-svc-vpn-start
asa-aaa-vpn-start
raw-asa-713228-vpn-start
asa-nap-cef-vpn-start
cef-cisco-asa-722041-vpn-login
asa-svc-vpn-716059-start
asa-nap-cef-7.1.7-vpn-start
asa-svc-vpn-751025-start
cef-cisco-asa-113039-vpn-start
r-asa-aaa-vpn-start
cisco-asa-vpn-login
cisco-ftd-721016
asa-svc-vpn-716038-start
cef-cisco-asa-721016-vpn-start
asa-svc-vpn-716001-start
raw-asa-svc-vpn-start
asa-aaa-cef-vpn-start
raw-cisco-vpnconcentrator-start
asa-svc-vpn-start-iPhone
q-asa-6-113039-vpn-start
n-forwarded-cef-asa-svc-vpn-start
n-forwarded-cef-asa-nap-vpn-start
raw-asa-713184-vpn-start

vpn-logout
q-asa-722037-vpn-end
raw-cisco-vpnconcentrator-end
asa-svc-cef-7.1.7-vpn-end
asa-aaa-vpn-stop
raw-asa-nap-vpn-end
r-asa-aaa-vpn-end
n-forwarded-cef-asa-nap-vpn-end
n-forwarded-cef-asa-svc-vpn-end
asa-nap-cef-vpn-end
asa-svc-cef-vpn-close
cisco-ftd-721018
raw-asa-svc-vpn-end
asa-svc-vpn-713050-end
asa-svc-vpn-716002-end

web-activity-denied
asa-web-activity-716003
 T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 63 Rules
  • 25 Models
Account Manipulation process-created
cisco-ftd-process-created-1
cisco-asa-process-created
cisco-ftd-process-created-2
cisco-asa-process-created-1
cisco-ftd-process-created

vpn-logout
q-asa-722037-vpn-end
raw-cisco-vpnconcentrator-end
asa-svc-cef-7.1.7-vpn-end
asa-aaa-vpn-stop
raw-asa-nap-vpn-end
r-asa-aaa-vpn-end
n-forwarded-cef-asa-nap-vpn-end
n-forwarded-cef-asa-svc-vpn-end
asa-nap-cef-vpn-end
asa-svc-cef-vpn-close
cisco-ftd-721018
raw-asa-svc-vpn-end
asa-svc-vpn-713050-end
asa-svc-vpn-716002-end
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 22 Rules
  • 13 Models
Audit Tampering process-created
cisco-ftd-process-created-1
cisco-asa-process-created
cisco-ftd-process-created-2
cisco-asa-process-created-1
cisco-ftd-process-created
 T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 7 Rules
Cryptomining process-created
cisco-ftd-process-created-1
cisco-asa-process-created
cisco-ftd-process-created-2
cisco-asa-process-created-1
cisco-ftd-process-created

web-activity-denied
asa-web-activity-716003
 T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 4 Rules
Evasion process-created
cisco-ftd-process-created-1
cisco-asa-process-created
cisco-ftd-process-created-2
cisco-asa-process-created-1
cisco-ftd-process-created
 T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1036.005 - Masquerading: Match Legitimate Name or Location
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.005 - T1059.005
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1105 - Ingress Tool Transfer
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1140 - Deobfuscate/Decode Files or Information
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.008 - T1218.008
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1484.001 - T1484.001
T1542.003 - T1542.003
T1543.003 - Create or Modify System Process: Windows Service
T1552.006 - T1552.006
T1562 - Impair Defenses
T1562.001 - T1562.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1562.006 - T1562.006
T1564.004 - Hide Artifacts: NTFS File Attributes
T1574 - Hijack Execution Flow
  • 71 Rules
  • 3 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Hijack Execution Flow: DLL Side-Loading

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Unsecured Credentials

Brute Force

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Internal Spearphishing

 Screen Capture

Audio Capture

Archive Collected Data

 Web Service

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Account Access Removal

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery