Vendor: CrowdStrike Product: Falcon Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 620 161 139 26 26 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access app-activity ↳crowdstrike-falcon-cef-app-activity-deleteuser ↳crowdstrike-falcon-cef-app-activity-createuser ↳crowdstrike-falcon-cef-app-activity-grantuserroles ↳crowdstrike-falcon-cef-app-activity-revokeuserroles ↳crowdstrike-falcon-json-endpoint-logout-success-userlogoff ↳crowdstrike-falcon-json-endpoint-logout-success-userlogoff ↳crowdstrike-falcon-json-endpoint-logout-success-userlogoff ↳crowdstrike-falcon-json-service-stop-success-hostedservicestopped ↳crowdstrike-falcon-json-service-stop-success-hostedservicestopped ↳crowdstrike-falcon-json-service-stop-success-hostedservicestopped app-login ↳crowdstrike-falcon-leef-app-login-falconhost ↳crowdstrike-falcon-json-app-login-twofactorauthenticate ↳crowdstrike-falcon-sk4-app-login-success-validateentitlement ↳crowdstrike-falcon-sk4-endpoint-notification-timestamp ↳crowdstrike-falcon-sk4-endpoint-notification-timestamp ↳crowdstrike-falcon-sk4-endpoint-notification-timestamp ↳crowdstrike-falcon-sk4-endpoint-activity-customeridstring ↳crowdstrike-falcon-json-endpoint-activity-customeridstring ↳crowdstrike-falcon-sk4-alert-trigger-incidentsummaryevent ↳crowdstrike-falcon-json-alert-trigger-firewallmatchevent ↳crowdstrike-falcon-json-alert-trigger-success-reconnotification ↳crowdstrike-falcon-sk4-alert-trigger-firewallmatchevent ↳crowdstrike-falcon-sk4-peripheral-storage-activity-dcusb ↳crowdstrike-falcon-sk4-peripheral-storage-activity-dcusb ↳crowdstrike-falcon-sk4-peripheral-storage-activity-dcusb authentication-failed ↳crowdstrike-falcon-json-endpoint-login-fail-userlogonfail ↳crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1 ↳crowdstrike-falcon-sk4-endpoint-login-userloginfail ↳crowdstrike-falcon-json-endpoint-login-fail-userlogonfail ↳crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1 ↳crowdstrike-falcon-sk4-endpoint-login-userloginfail ↳crowdstrike-falcon-json-endpoint-login-fail-userlogonfail ↳crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1 ↳crowdstrike-falcon-sk4-endpoint-login-userloginfail authentication-successful ↳crowdstrike-falcon-json-endpoint-login-userlogin ↳crowdstrike-falcon-json-process-close-terminateprocess ↳crowdstrike-falcon-cef-scheduled-task-modify-win failed-app-login ↳crowdstrike-falcon-leef-app-login-falconhost ↳crowdstrike-falcon-json-app-login-twofactorauthenticate local-logon ↳crowdstrike-falcon-json-endpoint-login-userlogin ↳crowdstrike-falcon-json-endpoint-login-userlogin remote-access ↳crowdstrike-falcon-json-endpoint-login-userlogin remote-logon ↳crowdstrike-falcon-json-endpoint-login-userlogin ↳crowdstrike-falcon-json-endpoint-login-userlogin ↳crowdstrike-falcon-json-process-create-processrollup2stats ↳crowdstrike-falcon-json-process-create-syntheticprocessrollup2 ↳crowdstrike-falcon-json-process-create-processrollup2stats ↳crowdstrike-falcon-json-process-create-syntheticprocessrollup2 ↳crowdstrike-falcon-json-process-close-terminateprocess ↳crowdstrike-falcon-json-process-close-terminateprocess ↳crowdstrike-falcon-json-endpoint-name-modify-hostnamechanged ↳crowdstrike-falcon-json-endpoint-name-modify-hostnamechanged ↳crowdstrike-falcon-json-endpoint-name-modify-hostnamechanged workstation-unlocked ↳crowdstrike-falcon-json-endpoint-login-userlogin T1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1133 - External Remote Services 44 Rules18 Models Account Manipulation app-activity ↳crowdstrike-falcon-cef-app-activity-deleteuser ↳crowdstrike-falcon-cef-app-activity-createuser ↳crowdstrike-falcon-cef-app-activity-grantuserroles ↳crowdstrike-falcon-cef-app-activity-revokeuserroles ↳crowdstrike-falcon-json-endpoint-logout-success-userlogoff ↳crowdstrike-falcon-json-endpoint-logout-success-userlogoff ↳crowdstrike-falcon-json-endpoint-logout-success-userlogoff ↳crowdstrike-falcon-json-service-stop-success-hostedservicestopped ↳crowdstrike-falcon-json-service-stop-success-hostedservicestopped ↳crowdstrike-falcon-json-service-stop-success-hostedservicestopped process-created ↳crowdstrike-falcon-json-process-create-success-processroll ↳crowdstrike-falcon-json-process-create-success-syntheticprocessroll ↳crowdstrike-falcon-json-process-create-success-processrollup ↳crowdstrike-falcon-json-process-create-success-createservice ↳crowdstrike-falcon-json-process-create-success-servicestarted ↳crowdstrike-falcon-json-process-create-success-processroll ↳crowdstrike-falcon-json-process-create-success-syntheticprocessroll ↳crowdstrike-falcon-json-process-create-success-processrollup ↳crowdstrike-falcon-json-process-create-success-createservice ↳crowdstrike-falcon-json-process-create-success-servicestarted ↳crowdstrike-falcon-json-process-create-success-processrollup ↳crowdstrike-falcon-json-driver-load-success-driverload ↳crowdstrike-falcon-json-driver-load-success-driverload ↳crowdstrike-falcon-json-driver-load-success-driverload T1003 - OS Credential DumpingT1003.003 - T1003.003T1021.003 - T1021.003T1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1218.010 - Signed Binary Proxy Execution: Regsvr32T1531 - Account Access RemovalT1559.002 - T1559.002 16 Rules7 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing ApplicationReplication Through Removable MediaPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingIndicator Removal on Host: File DeletionMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesUse Alternate Authentication Material: Pass the HashIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionValid Accounts: Local AccountsSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop ProtocolReplication Through Removable Media Screen CaptureEmail CollectionAudio CaptureArchive Collected DataEmail Collection: Email Forwarding Rule Protocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareDynamic ResolutionIngress Tool TransferDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over C2 ChannelExfiltration Over Physical Medium Account Access RemovalData DestructionResource HijackingData Encrypted for ImpactInhibit System Recovery