Skip to content

Hide Navigation Hide TOC

Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8)

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
Cluster A Galaxy A Cluster B Galaxy B Level
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Implant Internal Image - T1525 (4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Browser Fingerprint - T1036.012 (afac5dbc-4383-4fb6-9ba6-45b25d49e530) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action IDE Extensions - T1176.002 (66b34be7-6915-4b83-8d5a-b0f0592b5e41) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Cloud Resource Hierarchy - T1666 (0ce73446-8722-4086-9d43-514f1d0f669e) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Create Snapshot - T1578.001 (ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action ROMMONkit - T1542.004 (a6557c75-798f-42e4-be70-ab4502e0a3bc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Cloud Compute Configurations - T1578.005 (ca00366b-83a1-4c7b-a0ce-8ff950a7c87f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify Network Device Firewall - T1562.013 (a0f84e1d-d25c-4dd1-bb26-3c0e68471530) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Power Settings - T1653 (ea071aa0-8f17-416f-ab0d-2bab7e79003d) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify Cloud Firewall - T1562.007 (77532a55-c283-4cd2-bc5d-2d0b65e9d88c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Browser Fingerprint - T1036.012 (afac5dbc-4383-4fb6-9ba6-45b25d49e530) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern 2
Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 2
IDE Extensions - T1176.002 (66b34be7-6915-4b83-8d5a-b0f0592b5e41) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 2
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Create Snapshot - T1578.001 (ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1) Attack Pattern 2
ROMMONkit - T1542.004 (a6557c75-798f-42e4-be70-ab4502e0a3bc) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 2
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern 2
Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern 2
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Modify Cloud Compute Configurations - T1578.005 (ca00366b-83a1-4c7b-a0ce-8ff950a7c87f) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 2
Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Network Device Firewall - T1562.013 (a0f84e1d-d25c-4dd1-bb26-3c0e68471530) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern 2
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 2
Disable or Modify Cloud Firewall - T1562.007 (77532a55-c283-4cd2-bc5d-2d0b65e9d88c) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 2
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 2