Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 14.2 KB

ds_cisco_duo_access_security.md

File metadata and controls

19 lines (17 loc) · 14.2 KB

Vendor: Cisco

Product: Duo Access Security

Rules Models MITRE TTPs Event Types Parsers
168 83 25 7 7
Use-Case Event Types/Parsers MITRE TTP Content
Abnormal Authentication & Access app-login
q-duo-failed-app-login
duo-failed-app-login
s-duo-failed-app-login-1
s-duo-failed-app-login
cef-duo-failed-app-login-1
cef-duo-app-activity

authentication-failed
q-duo-auth-successful
cef-duo-authentication
s-duo-app-activity
q-duo-app-activity-4
q-duo-app-activity-3
q-duo-app-activity-5
duo-app-activity
q-duo-app-activity-2
q-duo-app-activity-1
cef-duo-app-activity

authentication-successful
s-duo-auth-successful
s-duo-auth-set-ip
json-duo-auth-attempt
u-duo-auth-json
cef-duo-auth
s-duo-auth-json
s-duo-auth-json-1
json-duo-auth-attempt
u-duo-auth-json
cef-duo-auth
s-duo-auth-json
s-duo-auth-json-1
q-duo-auth-failed
cef-duo-authentication

failed-logon
cef-duo-VPN-login

file-delete
cef-duo-app-activity

vpn-login
cef-duo-VPN-login-failed

vpn-logout
q-duo-app-login
duo-app-login
cef-duo-app-login
s-duo-app-login
cef-duo-app-login-1
cef-duo-app-activity
 T1021 - Remote Services
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 74 Rules
  • 36 Models
Account Manipulation app-login
q-duo-failed-app-login
duo-failed-app-login
s-duo-failed-app-login-1
s-duo-failed-app-login
cef-duo-failed-app-login-1
cef-duo-app-activity

authentication-failed
q-duo-auth-successful
cef-duo-authentication
s-duo-app-activity
q-duo-app-activity-4
q-duo-app-activity-3
q-duo-app-activity-5
duo-app-activity
q-duo-app-activity-2
q-duo-app-activity-1
cef-duo-app-activity

authentication-successful
s-duo-auth-successful
s-duo-auth-set-ip
json-duo-auth-attempt
u-duo-auth-json
cef-duo-auth
s-duo-auth-json
s-duo-auth-json-1
json-duo-auth-attempt
u-duo-auth-json
cef-duo-auth
s-duo-auth-json
s-duo-auth-json-1
q-duo-auth-failed
cef-duo-authentication

failed-logon
cef-duo-VPN-login

file-delete
cef-duo-app-activity

vpn-login
cef-duo-VPN-login-failed

vpn-logout
q-duo-app-login
duo-app-login
cef-duo-app-login
s-duo-app-login
cef-duo-app-login-1
cef-duo-app-activity
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 7 Models
Next Page -->>

ATT&CK Matrix for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Phishing

 User Execution

 External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

 Indicator Removal on Host: File Deletion

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Web Session Cookie

Use Alternate Authentication Material: Pass the Ticket

 OS Credential Dumping

Brute Force

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: Kerberoasting

 File and Directory Discovery

 Exploitation of Remote Services

Remote Services

Use Alternate Authentication Material

 Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Data Transfer Size Limits

Exfiltration Over Physical Medium

Automated Exfiltration