r_m_microsoft_iis_Lateral_Movement.md

Vendor: Microsoft

Product: IIS

Use-Case: Lateral Movement

Rules	Models	MITRE TTPs	Event Types	Parsers
16	7	2	2	2

Event Type	Rules	Models
network-connection-failed	T1071 - Application Layer Protocol ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NETF-TI-H-Outbound: Outbound failed connection to a known malicious host ↳ A-NETF-OsH-Outbound-F: First failed outbound connection for host in the organization ↳ A-NETF-OsH-Outbound-A: Abnormal outbound connection from host failed in the organization ↳ A-NETF-HsH-Outbound-F: First failed outbound connection for host ↳ A-NETF-HsH-Outbound-A: Abnormal outbound connection from host failed ↳ A-NETF-OsZ-Outbound-F: First failed outbound connection from zone ↳ A-NETF-OsZ-Outbound-A: Abnormal outbound connection from zone failed T1090.002 - Proxy: External Proxy ↳ A-NETF-HCountry-Outbound-F: First failed outbound connection to this country from asset ↳ A-NETF-HCountry-Outbound-A: Outbound connection to abnormal country for asset has failed ↳ A-NETF-OCountry-Outbound-F: First failed outbound connection to this country from organization ↳ A-NETF-OCountry-Outbound-A: Outbound connection to abnormal country for the organization has failed ↳ A-NETF-ZCountry-Outbound-A: Outbound connection to abnormal country for the zone has failed ↳ A-NETF-ZCountry-Outbound-F: First failed outbound connection to this country from zone ↳ A-NETF-ZsH-Outbound-F: First failed outbound connection for host in the zone ↳ A-NETF-ZsH-Outbound-A: Abnormal outbound connection from host failed in the zone	• A-NET-OsZ-Outbound: Outbound communicating zones in the organization • A-NET-HsH-Outbound: Outbound communicating hosts for the asset • A-NET-ZsH-Outbound: Outbound communicating hosts in the zone • A-NET-OsH-Outbound: Outbound communicating hosts • A-NETF-ZCountry-Outbound: Failed outbound country per zone • A-NETF-OCountry-Outbound: Failed outbound country per organization • A-NETF-HCountry-Outbound: Failed outbound country per asset