MITRE ATT&CK explorer
Review defensive behavior mappings from the local dataset. Filter by tactic, search by technique ID, and jump back into the related actor profile.
Uses targeted social engineering themes to obtain access or deliver malicious files. Defensive review should focus on mail telemetry, sender reputation, and user-reporting workflows.
Suspicious script execution can appear after initial user interaction. SOC teams should correlate script launches with file downloads and unusual parent processes.
Credential theft activity is represented at a high level for monitoring. Analysts should review endpoint and identity alerts for unusual credential access patterns.
Packed or encoded files can reduce visibility. Detection should prioritize suspicious file creation, unsigned binaries, and uncommon execution paths.
Compromised accounts can enable remote access. Defenders should monitor impossible travel, first-seen devices, and unusual administrator sessions.
Lateral movement is modeled defensively through unusual remote session patterns and access to systems outside normal user behavior.
Data theft pressure can precede impact. Analysts should review bulk archive creation, outbound transfer anomalies, and DLP events.
File encryption is represented as an impact-stage behavior. Detection should focus on abnormal rename bursts and backup access changes.
Targeted links may lead to credential collection pages. Defenders should monitor suspicious domains, sender anomalies, and identity risk signals.
Credential harvesting and password spraying are represented as identity telemetry patterns for SOC triage.
Public-facing application alerts should be triaged through patch posture, web logs, and unusual authentication activity.
Directory and mailbox enumeration can be detected through cloud audit logs and unusual query volume.
Phishing is represented as a high-level initial access pattern. Defenders should review email telemetry, user reports, and suspicious authentication events.
Use of valid accounts should be monitored through first-seen devices, impossible travel, and unusual access to sensitive cloud resources.
Account changes can indicate persistence. Analysts should review new service principals, mailbox rules, and permission changes.
Public-facing application risk should be reviewed through patch posture, web logs, and unexpected authentication attempts.
Destructive behavior is described only at a defensive level. Monitor for abnormal file deletion, service disruption, and backup access changes.
Analysts should investigate suspicious security tool tampering, log gaps, or policy changes.
Attachment-themed initial access is represented at a high level. Analysts should review attachment detonation, sender anomalies, and user reports.
Suspicious scripting should be correlated with recent downloads, unusual parent processes, and endpoint detections.
Collection behavior should be reviewed through unusual file access, archive creation, and sensitive directory reads.
Valid account abuse should be monitored with identity risk signals, first-seen devices, and unusual MFA activity.
MFA fatigue patterns are represented defensively. Review unusual MFA prompts, help desk events, and conditional access changes.
Remote service use should be compared against normal administrator behavior and approved access windows.
Application exposure should be triaged through patch posture, web logs, and unusual transfer activity.
Data exfiltration is represented defensively through transfer anomalies, archive staging, and DLP review.
Impact-stage behavior should be monitored through abnormal file changes and backup access events.