Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
---|---|---|---|---|
811 | 192 | 139 | 24 | 24 |
Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
---|---|---|---|
Abnormal Authentication & Access | app-activity ↳cef-crowdstrike-app-activity ↳crowdstrike-app-activity-9 ↳crowdstrike-app-activity-8 ↳crowdstrike-app-activity-7 ↳crowdstrike-app-activity ↳crowdstrike-app-activity-4 ↳crowdstrike-app-activity-3 ↳crowdstrike-app-activity-2 ↳crowdstrike-app-activity-11 ↳crowdstrike-app-activity-1 ↳crowdstrike-app-activity-10 app-login ↳s-crowdstrike-app-login-1 ↳cef-crowdstrike-app-login ↳s-crowdstrike-app-login-3 ↳s-crowdstrike-app-login-2 ↳s-crowdstrike-app-login ↳s-crowdstrike-app-login-4 ↳s-crowdstrike-app-login-7 ↳s-crowdstrike-app-login-6 ↳s-crowdstrike-app-login-9 ↳s-crowdstrike-app-login-8 ↳s-crowdstrike-app-login-10 ↳leef-crowdstrike-app-login ↳s-crowdstrike-app-login-5 authentication-failed ↳crowdstrike-auth-failed-1 ↳crowdstrike-auth-failed-2 ↳s-crowdstrike-failed-logon failed-app-login ↳s-crowdstrike-app-login-1 ↳cef-crowdstrike-app-login ↳s-crowdstrike-app-login ↳s-crowdstrike-app-login-4 ↳s-crowdstrike-app-login-7 ↳s-crowdstrike-app-login-6 ↳s-crowdstrike-app-login-9 ↳s-crowdstrike-app-login-8 ↳leef-crowdstrike-app-login local-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 remote-access ↳crowdstrike-logon ↳crowdstrike-logon-2 remote-logon ↳crowdstrike-logon ↳crowdstrike-logon-2 |
T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services |
|
Account Manipulation | app-activity ↳cef-crowdstrike-app-activity ↳crowdstrike-app-activity-9 ↳crowdstrike-app-activity-8 ↳crowdstrike-app-activity-7 ↳crowdstrike-app-activity ↳crowdstrike-app-activity-4 ↳crowdstrike-app-activity-3 ↳crowdstrike-app-activity-2 ↳crowdstrike-app-activity-11 ↳crowdstrike-app-activity-1 ↳crowdstrike-app-activity-10 process-created ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created |
T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002 |
|
Audit Tampering | process-created ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created |
T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006 |
|
Cryptomining | process-created ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created |
T1496 - Resource Hijacking |
|
Destruction of Data | file-delete ↳crowdstrike-file-delete-1 ↳crowdstrike-file-operations-1 |
T1070.004 - Indicator Removal on Host: File Deletion T1485 - Data Destruction |
|
Evasion | process-created ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created |
T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1036.005 - Masquerading: Match Legitimate Name or Location T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.005 - T1059.005 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1105 - Ingress Tool Transfer T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1140 - Deobfuscate/Decode Files or Information T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.008 - T1218.008 T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1484.001 - T1484.001 T1542.003 - T1542.003 T1543.003 - Create or Modify System Process: Windows Service T1552.006 - T1552.006 T1562 - Impair Defenses T1562.001 - T1562.001 T1562.004 - Impair Defenses: Disable or Modify System Firewall T1562.006 - T1562.006 T1564.004 - Hide Artifacts: NTFS File Attributes T1574 - Hijack Execution Flow |
|
Phishing | process-created ↳crowdstrike-service-created-1 ↳crowdstrike-service-created ↳crowdstrike-process-created-2 ↳crowdstrike-process-created-1 ↳crowdstrike-process-created |
T1566.001 - T1566.001 |
|
Next Page -->> |