Vendor: Netwrix Product: Netwrix Auditor Rules Models MITRE ATT&CK® TTPs Event Types Parsers 204 76 29 13 13 Use-Case Event Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access account-disabled ↳netwrix-ad-account-disabled account-lockout ↳netwrix-ad-account-lockout account-password-reset ↳netwrix-ad-password-reset account-unlocked ↳netwrix-ad-account-unlocked app-activity ↳netwrix-app-activity-5 ↳netwrix-app-activity-4 ↳netwrix-app-activity-3 ↳netwrix-app-activity-2 ↳netwrix-app-activity-1 app-login ↳netwrix-app-login failed-app-login ↳netwrix-failed-app-login failed-logon ↳netwrix-db-activity member-added ↳netwrix-ad-member-added-2 ↳netwrix-ad-member-added member-removed ↳netwrix-ad-member-removed T1078 - Valid AccountsT1110 - Brute ForceT1133 - External Remote Services 21 Rules6 Models Account Manipulation account-password-reset ↳netwrix-ad-password-reset app-activity ↳netwrix-app-activity-5 ↳netwrix-app-activity-4 ↳netwrix-app-activity-3 ↳netwrix-app-activity-2 ↳netwrix-app-activity-1 ds-access ↳netwrix-ad-ds-access ↳netwrix-group-policy-change member-added ↳netwrix-ad-member-added-2 ↳netwrix-ad-member-added member-removed ↳netwrix-ad-member-removed T1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1207 - Rogue Domain ControllerT1484 - Group Policy Modification 59 Rules29 Models Brute Force Attack account-lockout ↳netwrix-ad-account-lockout failed-logon ↳netwrix-db-activity T1021.001 - Remote Services: Remote Desktop ProtocolT1110 - Brute ForceT1110.003 - T1110.003 10 Rules Data Exfiltration file-write ↳netwrix-file-activity TA0002 - TA0002 2 Rules1 Models Data Leak app-activity ↳netwrix-app-activity-5 ↳netwrix-app-activity-4 ↳netwrix-app-activity-3 ↳netwrix-app-activity-2 ↳netwrix-app-activity-1 file-write ↳netwrix-file-activity T1114.001 - T1114.001T1114.003 - Email Collection: Email Forwarding Rule 4 Rules Destruction of Data file-delete ↳netwrix-file-activity T1070.004 - Indicator Removal on Host: File DeletionT1485 - Data Destruction 1 Rules Privilege Escalation app-activity ↳netwrix-app-activity-5 ↳netwrix-app-activity-4 ↳netwrix-app-activity-3 ↳netwrix-app-activity-2 ↳netwrix-app-activity-1 failed-logon ↳netwrix-db-activity T1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1210 - Exploitation of Remote Services 4 Rules1 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing Application Create AccountExternal Remote ServicesValid AccountsServer Software Component: Web ShellAccount ManipulationServer Software ComponentBoot or Logon Autostart ExecutionAccount Manipulation: Exchange Email Delegate Permissions Valid AccountsExploitation for Privilege EscalationGroup Policy ModificationBoot or Logon Autostart Execution Group Policy ModificationRogue Domain ControllerIndicator Removal on Host: File DeletionValid AccountsUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashIndicator Removal on HostUse Alternate Authentication Material: Pass the Ticket OS Credential DumpingBrute ForceSteal or Forge Kerberos TicketsOS Credential Dumping: DCSync File and Directory Discovery Exploitation of Remote ServicesRemote ServicesUse Alternate Authentication MaterialRemote Services: Remote Desktop Protocol Email CollectionEmail Collection: Email Forwarding Rule Proxy: Multi-hop ProxyProxy Data DestructionData Encrypted for Impact