Skip to content

Hide Navigation Hide TOC

Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8)

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
Cluster A Galaxy A Cluster B Galaxy B Level
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Network Device Firewall - T1686.002 (a29aa77c-a88d-4f19-bab9-7751941b2e2d) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 1
Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 1
Implant Internal Image - T1525 (4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Browser Fingerprint - T1036.012 (afac5dbc-4383-4fb6-9ba6-45b25d49e530) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action IDE Extensions - T1176.002 (66b34be7-6915-4b83-8d5a-b0f0592b5e41) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern 1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Cloud Resource Hierarchy - T1666 (0ce73446-8722-4086-9d43-514f1d0f669e) Attack Pattern 1
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Create Snapshot - T1578.001 (ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cloud Firewall - T1686.001 (ee474564-64be-4b83-a958-53f238f49b01) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action ROMMONkit - T1542.004 (a6557c75-798f-42e4-be70-ab4502e0a3bc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify Linux Audit System Log - T1685.004 (23d69d00-80c4-42ff-9dac-dbd0459dad75) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Modify Cloud Compute Configurations - T1578.005 (ca00366b-83a1-4c7b-a0ce-8ff950a7c87f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 1
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern 1
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Power Settings - T1653 (ea071aa0-8f17-416f-ab0d-2bab7e79003d) Attack Pattern Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Social Engineering - T1684 (41e4d77a-6275-4976-9e35-785985598519) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 1
Audit - M1047 (cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8) Course of Action Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern 1
Network Device Firewall - T1686.002 (a29aa77c-a88d-4f19-bab9-7751941b2e2d) Attack Pattern Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 2
Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 2
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Browser Fingerprint - T1036.012 (afac5dbc-4383-4fb6-9ba6-45b25d49e530) Attack Pattern 2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
IDE Extensions - T1176.002 (66b34be7-6915-4b83-8d5a-b0f0592b5e41) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Create Snapshot - T1578.001 (ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1) Attack Pattern 2
Cloud Firewall - T1686.001 (ee474564-64be-4b83-a958-53f238f49b01) Attack Pattern Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern ROMMONkit - T1542.004 (a6557c75-798f-42e4-be70-ab4502e0a3bc) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Linux Audit System Log - T1685.004 (23d69d00-80c4-42ff-9dac-dbd0459dad75) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern 2
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern 2
SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Modify Cloud Compute Configurations - T1578.005 (ca00366b-83a1-4c7b-a0ce-8ff950a7c87f) Attack Pattern 2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 2
Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 2
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 2
Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2