Skip to content

Latest commit

 

History

History
14 lines (12 loc) · 3.98 KB

r_m_skysea_clientview_Evasion.md

File metadata and controls

14 lines (12 loc) · 3.98 KB

Vendor: SkySea

Product: ClientView

Use-Case: Evasion

Rules Models MITRE TTPs Event Types Parsers
7 1 2 12 12
Event Type Rules Models
app-activity T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost: User authentication or login from a known TOR IP
app-login T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost: User authentication or login from a known TOR IP
web-activity-allowed T1071.001 - Application Layer Protocol: Web Protocols
WEB-OUa-OS-F: First web activity using this operating system for the organization
WEB-URank-Tor: User has accessed a tor-to-web proxy site

T1090.003 - Proxy: Multi-hop Proxy
A-NET-TOR-Outbound: Outbound connection to a known TOR IP
A-WEB-TorProxy: Asset has accessed a known Tor web proxy
WEB-UD-TorProxy: User has accessed a known Tor web proxy
WEB-UI-Tor: User has accessed a known Tor exit node
WEB-URank-Tor: User has accessed a tor-to-web proxy site		 WEB-OUa-OS: Top operating systems being used to connect to the web for the organization