ATT&CK Detection Rule Coverage

3297 catalog-relevant detection rules across Sigma, Elastic, Splunk, and Sentinel mapped to 349 MITRE ATT&CK techniques. Each technique lists the rules that target it — the unit of work for a detection engineer — grouped by vendor. Techniques with rule coverage from multiple vendors are higher confidence.

349 techniques

4 vendors 3 vendors 2 vendors 1 vendor

Reconnaissance (12 techniques)

T1590 Gather Victim Network Information 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Suspicious DNS Query for IP Lookup Service APIs

Splunk

Local LLM Framework DNS Query

Kusto Query Language

T1590.001 Gather Victim Network Information: Domain Properties 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

PUA - Crassus Execution

T1590.002 Gather Victim Network Information: DNS 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Failed DNS Zone Transfer

T1590.005 Gather Victim Network Information: IP Addresses 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1592 Gather Victim Host Information 3 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1592.001 Gather Victim Host Information: Hardware 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Gather Victim Host Information Camera

T1589.001 Gather Victim Identity Information: Credentials 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Gather Victim Identity SAM Info

T1589.002 Gather Victim Identity Information: Email Addresses 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

Splunk

Kerberos User Enumeration

T1595 Active Scanning 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1595.001 Active Scanning: Scanning IP Blocks 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Detect Network Scanner Behavior

T1595.002 Active Scanning: Vulnerability Scanning 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Detect Network Scanner Behavior

T1593.003 Search Open Websites/Domains: Code Repositories 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Suspicious Git Clone

Initial Access (15 techniques)

T1078 Valid Accounts 35 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1078.001 Valid Accounts: Default Accounts 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

T1078.002 Valid Accounts: Domain Accounts 19 rules

Comparative authoring view → · attack.mitre.org

T1078.003 Valid Accounts: Local Accounts 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

Splunk

Short Lived Windows Accounts

T1566 Phishing 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

RecordedFuture Threat Hunting Domain All Actors

T1566.001 Phishing: Spearphishing Attachment 30 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1566.002 Phishing: Spearphishing Link 6 rules

Comparative authoring view → · attack.mitre.org

Splunk

Kusto Query Language

T1190 Exploit Public-Facing Application 24 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1133 External Remote Services 17 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1195 Supply Chain Compromise 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Octopus Scanner Malware

Splunk

Kusto Query Language

T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Octopus Scanner Malware

T1195.002 Supply Chain Compromise: Compromise Software Supply Chain 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1200 Hardware Additions 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1091 Replication Through Removable Media 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

External Disk Drive Or USB Storage Device Was Recognized By The System

Splunk

T1189 Drive-by Compromise 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

Detect hosts connecting to dynamic domain providers

Kusto Query Language

RecordedFuture Threat Hunting Hash All Actors

Execution (23 techniques)

T1059 Command and Scripting Interpreter 94 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1059.001 Command and Scripting Interpreter: PowerShell 229 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1059.003 Command and Scripting Interpreter: Windows Command Shell 31 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1059.005 Command and Scripting Interpreter: Visual Basic 26 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1059.006 Command and Scripting Interpreter: Python 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1059.007 Command and Scripting Interpreter: JavaScript 20 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1047 Windows Management Instrumentation 48 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1053 Scheduled Task/Job 16 rules

Comparative authoring view → · attack.mitre.org

T1053.002 Scheduled Task/Job: At 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1053.005 Scheduled Task/Job: Scheduled Task 48 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1569 System Services 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Psexec Execution

Elastic

Remote Windows Service Installed

Kusto Query Language

T1569.002 System Services: Service Execution 45 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Remote Windows Service Installed

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1204 User Execution 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1204.001 User Execution: Malicious Link 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows ISO LNK File Creation

T1204.002 User Execution: Malicious File 34 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1204.004 User Execution: Malicious Copy and Paste 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1106 Native API 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1203 Exploitation for Client Execution 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Sunburst Correlation DLL and Network Event

Kusto Query Language

T1072 Software Deployment Tools 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1559 Inter-Process Communication 6 rules

Comparative authoring view → · attack.mitre.org

Splunk

Kusto Query Language

Suspicious named pipes

T1559.001 Inter-Process Communication: Component Object Model 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Process Writing DynamicWrapperX

T1559.002 Inter-Process Communication: Dynamic Data Exchange 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Enable Microsoft Dynamic Data Exchange

T1129 Shared Modules 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Unsigned .node File Loaded

Splunk

Windows Executable in Loaded Modules

Discovery (31 techniques)

T1087 Account Discovery 20 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Access to LDAP Attributes

Splunk

Kusto Query Language

Detect Suspicious Commands Initiated by Webserver Processes

T1087.001 Account Discovery: Local Account 16 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1087.002 Account Discovery: Domain Account 41 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Access to LDAP Attributes

Splunk

Kusto Query Language

T1482 Domain Trust Discovery 26 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Access to LDAP Attributes

Splunk

Kusto Query Language

T1069 Permission Groups Discovery 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Access to LDAP Attributes

Splunk

Windows PowerView AD Access Control List Enumeration

T1069.001 Permission Groups Discovery: Local Groups 19 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1069.002 Permission Groups Discovery: Domain Groups 24 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Access to LDAP Attributes

Splunk

Kusto Query Language

Probable AdFind Recon Tool Usage

T1018 Remote System Discovery 23 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1033 System Owner/User Discovery 22 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1012 Query Registry 19 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access

T1082 System Information Discovery 19 rules

Comparative authoring view → · attack.mitre.org

T1046 Network Service Discovery 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1135 Network Share Discovery 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1016 System Network Configuration Discovery 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows PowerShell Invoke-RestMethod IP Information Collection

Kusto Query Language

T1083 File and Directory Discovery 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1040 Network Sniffing 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1049 System Network Connections Discovery 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

GetNetTcpconnection with PowerShell Script Block

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1201 Password Policy Discovery 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1615 Group Policy Discovery 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1057 Process Discovery 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1217 Browser Information Discovery 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1518 Software Discovery 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1518.001 Software Discovery: Security Software Discovery 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1007 System Service Discovery 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1010 Application Window Discovery 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

SCM Database Handle Failure

Kusto Query Language

Qakbot Discovery Activies

T1120 Peripheral Device Discovery 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1124 System Time Discovery 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1614.001 System Location Discovery: System Language Discovery 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1497.001 Virtualization/Sandbox Evasion: System Checks 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Powershell Detect Virtualization Environment

T1526 Cloud Service Discovery 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

PUA - Seatbelt Execution

T1622 Debugger Evasion 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

PUA - Process Hacker Execution

Credential Access (41 techniques)

T1003 OS Credential Dumping 46 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1003.001 OS Credential Dumping: LSASS Memory 88 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1003.002 OS Credential Dumping: Security Account Manager 26 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Remote Registry Access via SeBackupPrivilege

Splunk

T1003.003 OS Credential Dumping: NTDS 20 rules

Comparative authoring view → · attack.mitre.org

T1003.004 OS Credential Dumping: LSA Secrets 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Remote Registry Access via SeBackupPrivilege

Splunk

Windows LSA Secrets NoLMhash Registry

T1003.005 OS Credential Dumping: Cached Domain Credentials 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1003.006 OS Credential Dumping: DCSync 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Non Domain Controller Active Directory Replication

T1110 Brute Force 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Kusto Query Language

T1110.001 Brute Force: Password Guessing 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Windows Remote Desktop Network Bruteforce Attempt

T1110.002 Brute Force: Password Cracking 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

HackTool - Hashcat Password Cracker Execution

T1110.003 Brute Force: Password Spraying 23 rules

Comparative authoring view → · attack.mitre.org

Elastic

Splunk

Kusto Query Language

Password Spraying

T1110.004 Brute Force: Credential Stuffing 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Local Administrator Credential Stuffing

T1558 Steal or Forge Kerberos Tickets 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Kerberos Service Ticket Request Using RC4 Encryption

T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 21 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

User account exposed to Kerberoasting

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 5 rules

Comparative authoring view → · attack.mitre.org

Elastic

Kerberos Pre-authentication Disabled for User

Splunk

T1557 Adversary-in-the-Middle 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 19 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1557.003 Adversary-in-the-Middle: DHCP Spoofing 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation

T1649 Steal or Forge Authentication Certificates 17 rules

Comparative authoring view → · attack.mitre.org

T1187 Forced Authentication 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

T1552 Unsecured Credentials 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Access to a Sensitive LDAP Attribute

Splunk

Windows Unsecured Outlook Credentials Access In Registry

T1552.001 Unsecured Credentials: Credentials In Files 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1552.002 Unsecured Credentials: Credentials in Registry 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1552.004 Unsecured Credentials: Private Keys 10 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Access to a Sensitive LDAP Attribute

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1552.006 Unsecured Credentials: Group Policy Preferences 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows PowerSploit GPP Discovery

T1555 Credentials from Password Stores 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Multiple Vault Web Credentials Read

T1555.003 Credentials from Password Stores: Credentials from Web Browsers 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1555.004 Credentials from Password Stores: Windows Credential Manager 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Multiple Vault Web Credentials Read

Splunk

Windows Credentials Access via VaultCli Module

T1555.005 Credentials from Password Stores: Password Managers 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Remote Thread Created In KeePass.EXE

T1040 Network Sniffing 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1528 Steal Application Access Token 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1556 Modify Authentication Process 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Shadow Credentials added to AD Object

Splunk

Disabling Windows Local Security Authority Defences via Registry

T1556.002 Modify Authentication Process: Password Filter DLL 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1056 Input Capture 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

DNS Query Request To OneLaunch Update Service

T1056.001 Input Capture: Keylogging 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1056.002 Input Capture: GUI Input Capture 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Input Capture Using Credential UI Dll

T1056.004 Input Capture: Credential API Hooking 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1212 Exploitation for Credential Access 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1539 Steal Web Session Cookie 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Privilege Escalation (67 techniques)

T1574 Hijack Execution Flow 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows BitDefender Submission Wizard DLL Sideloading

Kusto Query Language

Detect Suspicious Commands Initiated by Webserver Processes

T1574.001 Hijack Execution Flow: DLL 91 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.004 Hijack Execution Flow: Dylib Hijacking 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Using SettingSyncHost.exe as LOLBin

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Service Creation Using Registry Entry

T1574.012 Hijack Execution Flow: COR_PROFILER 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1574.014 Hijack Execution Flow: AppDomainManager 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Potential AppDomainManager Hijack Artifacts Creation

T1548 Abuse Elevation Control Mechanism 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 70 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1098 Account Manipulation 55 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1098.007 Account Manipulation: Additional Local or Domain Groups 1 rule

Comparative authoring view → · attack.mitre.org

Elastic

User Added to Privileged Group in Active Directory

T1543 Create or Modify System Process 18 rules

Comparative authoring view → · attack.mitre.org

T1543.003 Create or Modify System Process: Windows Service 50 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1053 Scheduled Task/Job 16 rules

Comparative authoring view → · attack.mitre.org

T1053.002 Scheduled Task/Job: At 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1053.005 Scheduled Task/Job: Scheduled Task 48 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1055 Process Injection 43 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1055.001 Process Injection: Dynamic-link Library Injection 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1055.002 Process Injection: Portable Executable Injection 4 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1055.003 Process Injection: Thread Execution Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1055.011 Process Injection: Extra Window Memory Injection 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Uncommon Process Access Rights For Target Image

T1055.012 Process Injection: Process Hollowing 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Process Creation CallTrace

T1547 Boot or Logon Autostart Execution 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Startup/Logon Script added to Group Policy Object

Splunk

Windows Unsigned MS DLL Side-Loading

Kusto Query Language

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 37 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547.002 Boot or Logon Autostart Execution: Authentication Package 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Suspicious Activity Using SeCEdit

T1547.003 Boot or Logon Autostart Execution: Time Providers 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

New TimeProviders Registered With Uncommon DLL Name

Splunk

Time Provider Persistence Registry

T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1547.005 Boot or Logon Autostart Execution: Security Support Provider 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Security Support Provider (SSP) Added to LSA Configuration

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1547.008 Boot or Logon Autostart Execution: LSASS Driver 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

DLL Load via LSASS

Splunk

Windows Autostart Execution LSASS Driver Registry Modification

T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547.010 Boot or Logon Autostart Execution: Port Monitors 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Monitor Registry Keys for Print Monitors

T1547.012 Boot or Logon Autostart Execution: Print Processors 6 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1547.014 Boot or Logon Autostart Execution: Active Setup 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Potential Suspicious Activity Using SeCEdit

Splunk

T1547.015 Boot or Logon Autostart Execution: Login Items 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Windows Terminal Profile Settings Modification By Uncommon Process

T1078 Valid Accounts 35 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1078.001 Valid Accounts: Default Accounts 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

T1078.002 Valid Accounts: Domain Accounts 19 rules

Comparative authoring view → · attack.mitre.org

T1078.003 Valid Accounts: Local Accounts 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

Splunk

Short Lived Windows Accounts

T1068 Exploitation for Privilege Escalation 22 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1484 Domain or Tenant Policy Modification 14 rules

Comparative authoring view → · attack.mitre.org

Elastic

Splunk

T1484.001 Domain or Tenant Policy Modification: Group Policy Modification 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1546 Event Triggered Execution 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious WMI Event Subscription Created

Splunk

Kusto Query Language

T1546.001 Event Triggered Execution: Change Default File Association 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows New Default File Association Value Set

T1546.002 Event Triggered Execution: Screensaver 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Screensaver Event Trigger Execution

T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious WMI Event Subscription Created

Splunk

T1546.007 Event Triggered Execution: Netsh Helper DLL 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1546.008 Event Triggered Execution: Accessibility Features 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Overwriting Accessibility Binaries

Kusto Query Language

T1546.009 Event Triggered Execution: AppCert DLLs 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Registry Persistence via AppCert DLL Modification

T1546.010 Event Triggered Execution: AppInit DLLs 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

New DLL Added to AppInit_DLLs Registry Key

Kusto Query Language

Registry Persistence via AppInit DLLs Modification

T1546.011 Event Triggered Execution: Application Shimming 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1546.012 Event Triggered Execution: Image File Execution Options Injection 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1546.013 Event Triggered Execution: PowerShell Profile 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1546.015 Event Triggered Execution: Component Object Model Hijacking 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Component Object Model Hijacking - Vault7 trick

T1134 Access Token Manipulation 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1134.001 Access Token Manipulation: Token Impersonation/Theft 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Privilege Escalation via Rogue Named Pipe Impersonation

Splunk

T1134.002 Access Token Manipulation: Create Process with Token 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Process Creation via Secondary Logon

Splunk

Windows Access Token Manipulation SeDebugPrivilege

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1134.003 Access Token Manipulation: Make and Impersonate Token 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Process Creation via Secondary Logon

T1134.004 Access Token Manipulation: Parent PID Spoofing 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

HackTool - PPID Spoofing SelectMyParent Tool Execution

T1134.005 Access Token Manipulation: SID-History Injection 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Addition of SID History to Active Directory Object

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1037 Boot or Logon Initialization Scripts 1 rule

Comparative authoring view → · attack.mitre.org

Elastic

Startup/Logon Script added to Group Policy Object

T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Logon Script Event Trigger Execution

T1611 Escape to Host 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Oracle suspicious command execution

Lateral Movement (15 techniques)

T1021 Remote Services 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Enable RDP In Other Port Number

Kusto Query Language

T1021.001 Remote Services: Remote Desktop Protocol 23 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1021.002 Remote Services: SMB/Windows Admin Shares 42 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

T1021.003 Remote Services: Distributed Component Object Model 16 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1021.004 Remote Services: SSH 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1021.005 Remote Services: VNC 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Suspicious UltraVNC Execution

T1021.006 Remote Services: Windows Remote Management 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1210 Exploitation of Remote Services 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Detect Computer Changed with Anonymous Account

Kusto Query Language

T1570 Lateral Tool Transfer 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Scheduled Task Execution at Scale via GPO

Kusto Query Language

T1550 Use Alternate Authentication Material 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Outgoing Logon with New Credentials

Elastic

Splunk

T1550.002 Use Alternate Authentication Material: Pass the Hash 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Pass-the-Hash (PtH) Attempt

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1550.003 Use Alternate Authentication Material: Pass the Ticket 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Rubeus Kerberos Ticket Exports Through Winlogon Access

T1072 Software Deployment Tools 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1091 Replication Through Removable Media 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

External Disk Drive Or USB Storage Device Was Recognized By The System

Splunk

T1563.002 Remote Service Session Hijacking: RDP Hijacking 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows RDP Connection Successful

Persistence (71 techniques)

T1112 Modify Registry 149 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1574 Hijack Execution Flow 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows BitDefender Submission Wizard DLL Sideloading

Kusto Query Language

Detect Suspicious Commands Initiated by Webserver Processes

T1574.001 Hijack Execution Flow: DLL 91 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.004 Hijack Execution Flow: Dylib Hijacking 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Using SettingSyncHost.exe as LOLBin

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Service Creation Using Registry Entry

T1574.012 Hijack Execution Flow: COR_PROFILER 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1574.014 Hijack Execution Flow: AppDomainManager 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Potential AppDomainManager Hijack Artifacts Creation

T1098 Account Manipulation 55 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1098.007 Account Manipulation: Additional Local or Domain Groups 1 rule

Comparative authoring view → · attack.mitre.org

Elastic

User Added to Privileged Group in Active Directory

T1543 Create or Modify System Process 18 rules

Comparative authoring view → · attack.mitre.org

T1543.003 Create or Modify System Process: Windows Service 50 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1053 Scheduled Task/Job 16 rules

Comparative authoring view → · attack.mitre.org

T1053.002 Scheduled Task/Job: At 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1053.005 Scheduled Task/Job: Scheduled Task 48 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547 Boot or Logon Autostart Execution 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Startup/Logon Script added to Group Policy Object

Splunk

Windows Unsigned MS DLL Side-Loading

Kusto Query Language

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 37 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547.002 Boot or Logon Autostart Execution: Authentication Package 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Suspicious Activity Using SeCEdit

T1547.003 Boot or Logon Autostart Execution: Time Providers 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

New TimeProviders Registered With Uncommon DLL Name

Splunk

Time Provider Persistence Registry

T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1547.005 Boot or Logon Autostart Execution: Security Support Provider 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Security Support Provider (SSP) Added to LSA Configuration

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1547.008 Boot or Logon Autostart Execution: LSASS Driver 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

DLL Load via LSASS

Splunk

Windows Autostart Execution LSASS Driver Registry Modification

T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1547.010 Boot or Logon Autostart Execution: Port Monitors 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Monitor Registry Keys for Print Monitors

T1547.012 Boot or Logon Autostart Execution: Print Processors 6 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1547.014 Boot or Logon Autostart Execution: Active Setup 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Potential Suspicious Activity Using SeCEdit

Splunk

T1547.015 Boot or Logon Autostart Execution: Login Items 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Windows Terminal Profile Settings Modification By Uncommon Process

T1078 Valid Accounts 35 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1078.001 Valid Accounts: Default Accounts 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

T1078.002 Valid Accounts: Domain Accounts 19 rules

Comparative authoring view → · attack.mitre.org

T1078.003 Valid Accounts: Local Accounts 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

Splunk

Short Lived Windows Accounts

T1133 External Remote Services 17 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1505.001 Server Software Component: SQL Stored Procedures 4 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1505.002 Server Software Component: Transport Agent 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

MSExchange Transport Agent Installation

T1505.003 Server Software Component: Web Shell 16 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1505.004 Server Software Component: IIS Components 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1505.005 Server Software Component: Terminal Services DLL 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Suspicious Activity Using SeCEdit

T1136 Create Account 3 rules

Comparative authoring view → · attack.mitre.org

Elastic

dMSA Account Creation by an Unusual User

Kusto Query Language

T1136.001 Create Account: Local Account 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1136.002 Create Account: Domain Account 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

dMSA Account Creation by an Unusual User

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1546 Event Triggered Execution 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious WMI Event Subscription Created

Splunk

Kusto Query Language

T1546.001 Event Triggered Execution: Change Default File Association 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows New Default File Association Value Set

T1546.002 Event Triggered Execution: Screensaver 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Screensaver Event Trigger Execution

T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious WMI Event Subscription Created

Splunk

T1546.007 Event Triggered Execution: Netsh Helper DLL 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1546.008 Event Triggered Execution: Accessibility Features 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Overwriting Accessibility Binaries

Kusto Query Language

T1546.009 Event Triggered Execution: AppCert DLLs 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Registry Persistence via AppCert DLL Modification

T1546.010 Event Triggered Execution: AppInit DLLs 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

New DLL Added to AppInit_DLLs Registry Key

Kusto Query Language

Registry Persistence via AppInit DLLs Modification

T1546.011 Event Triggered Execution: Application Shimming 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1546.012 Event Triggered Execution: Image File Execution Options Injection 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1546.013 Event Triggered Execution: PowerShell Profile 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1546.015 Event Triggered Execution: Component Object Model Hijacking 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Component Object Model Hijacking - Vault7 trick

T1197 BITS Jobs 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Bitsadmin Activity

T1137 Office Application Startup 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1137.002 Office Application Startup: Office Test 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Office Application Startup - Office Test

T1137.003 Office Application Startup: Outlook Forms 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Persistence Via Outlook Form

T1137.006 Office Application Startup: Add-ins 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1554 Compromise Host Software Binary 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1037 Boot or Logon Initialization Scripts 1 rule

Comparative authoring view → · attack.mitre.org

Elastic

Startup/Logon Script added to Group Policy Object

T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Logon Script Event Trigger Execution

T1556 Modify Authentication Process 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Shadow Credentials added to AD Object

Splunk

Disabling Windows Local Security Authority Defences via Registry

T1556.002 Modify Authentication Process: Password Filter DLL 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1176.001 Software Extensions: Browser Extensions 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1542 Pre-OS Boot 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Registry BootExecute Modification

T1542.001 Pre-OS Boot: System Firmware 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1542.003 Pre-OS Boot: Bootkit 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Splunk

Windows WinLogon with Public Network Connection

Defense Evasion (112 techniques)

T1562 Impair Defenses 35 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1562.001 Impair Defenses: Disable or Modify Tools 171 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Evasion via Windows Filtering Platform

Splunk

Kusto Query Language

T1562.002 Impair Defenses: Disable Windows Event Logging 28 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Sensitive Audit Policy Sub-Category Disabled

Splunk

T1562.004 Impair Defenses: Disable or Modify System Firewall 21 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Evasion via Windows Filtering Platform

Splunk

T1562.006 Impair Defenses: Indicator Blocking 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Sensitive Audit Policy Sub-Category Disabled

Splunk

T1562.010 Impair Defenses: Downgrade Attack 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

LSA PPL Protection Setting Modification via CommandLine

T1112 Modify Registry 149 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1218 System Binary Proxy Execution 136 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Credential Access via Renamed COM+ Services DLL

Splunk

T1218.001 System Binary Proxy Execution: Compiled HTML File 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1218.002 System Binary Proxy Execution: Control Panel 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Control Panel Items

T1218.003 System Binary Proxy Execution: CMSTP 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1218.004 System Binary Proxy Execution: InstallUtil 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows InstallUtil Credential Theft

T1218.005 System Binary Proxy Execution: Mshta 10 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1218.007 System Binary Proxy Execution: Msiexec 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1218.008 System Binary Proxy Execution: Odbcconf 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1218.009 System Binary Proxy Execution: Regsvcs/Regasm 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1218.010 System Binary Proxy Execution: Regsvr32 20 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Malicious InProcServer32 Modification

Kusto Query Language

T1218.011 System Binary Proxy Execution: Rundll32 35 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Credential Access via Renamed COM+ Services DLL

Splunk

Kusto Query Language

T1218.013 System Binary Proxy Execution: Mavinject 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1218.014 System Binary Proxy Execution: MMC 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

UAC Bypass MMC Load Unsigned Dll

T1027 Obfuscated Files or Information 106 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1027.001 Obfuscated Files or Information: Binary Padding 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Failed Code Integrity Checks

T1027.002 Obfuscated Files or Information: Software Packing 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Python Image Load By Non-Python Process

T1027.003 Obfuscated Files or Information: Steganography 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Findstr Launching .lnk File

T1027.004 Obfuscated Files or Information: Compile After Delivery 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1027.005 Obfuscated Files or Information: Indicator Removal from Tools 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1027.009 Obfuscated Files or Information: Embedded Payloads 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Powershell Token Obfuscation - Process Creation

T1027.010 Obfuscated Files or Information: Command Obfuscation 19 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

T1027.011 Obfuscated Files or Information: Fileless Storage 3 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Obfuscated Files or Information via RAR SFX

T1574 Hijack Execution Flow 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows BitDefender Submission Wizard DLL Sideloading

Kusto Query Language

Detect Suspicious Commands Initiated by Webserver Processes

T1574.001 Hijack Execution Flow: DLL 91 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.004 Hijack Execution Flow: Dylib Hijacking 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Using SettingSyncHost.exe as LOLBin

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Service Creation Using Registry Entry

T1574.012 Hijack Execution Flow: COR_PROFILER 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1574.014 Hijack Execution Flow: AppDomainManager 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Potential AppDomainManager Hijack Artifacts Creation

T1548 Abuse Elevation Control Mechanism 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 70 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1036 Masquerading 49 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1036.002 Masquerading: Right-to-Left Override 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Detect RTLO In File Name

T1036.003 Masquerading: Rename Legitimate Utilities 26 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Credential Access via Renamed COM+ Services DLL

Splunk

Windows Renamed Powershell Execution

T1036.004 Masquerading: Masquerade Task or Service 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Scheduled Task Creation Masquerading as System Processes

T1036.005 Masquerading: Match Legitimate Resource Name or Location 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows LOLBAS Executed Outside Expected Path

Kusto Query Language

Match Legitimate Name or Location - 2

T1036.007 Masquerading: Double File Extension 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1036.008 Masquerading: Masquerade File Type 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Executable Masquerading as Benign File Types

T1036.009 Masquerading: Break Process Trees 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1055 Process Injection 43 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1055.001 Process Injection: Dynamic-link Library Injection 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1055.002 Process Injection: Portable Executable Injection 4 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1055.003 Process Injection: Thread Execution Hijacking 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1055.011 Process Injection: Extra Window Memory Injection 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Uncommon Process Access Rights For Target Image

T1055.012 Process Injection: Process Hollowing 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Suspicious Process Creation CallTrace

T1202 Indirect Command Execution 39 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows RunMRU Command Execution

T1078 Valid Accounts 35 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1078.001 Valid Accounts: Default Accounts 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

T1078.002 Valid Accounts: Domain Accounts 19 rules

Comparative authoring view → · attack.mitre.org

T1078.003 Valid Accounts: Local Accounts 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Admin User Remote Logon

Splunk

Short Lived Windows Accounts

T1140 Deobfuscate/Decode Files or Information 25 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Kusto Query Language

T1564 Hide Artifacts 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1564.001 Hide Artifacts: Hidden Files and Directories 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Disable Show Hidden Files

T1564.002 Hide Artifacts: Hidden Users 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1564.003 Hide Artifacts: Hidden Window 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1564.004 Hide Artifacts: NTFS File Attributes 25 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Ingress Tool Transfer - Certutil

T1564.006 Hide Artifacts: Run Virtual Instance 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1070 Indicator Removal 24 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Process Deleting Its Process File Path

Kusto Query Language

T1070.001 Indicator Removal: Clear Windows Event Logs 10 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

T1070.003 Indicator Removal: Clear Command History 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1070.004 Indicator Removal: File Deletion 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1070.005 Indicator Removal: Network Share Connection Removal 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1070.006 Indicator Removal: Timestomp 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Timestomp in Executable Files

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1127 Trusted Developer Utilities Proxy Execution 22 rules

Comparative authoring view → · attack.mitre.org

T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Silenttrinity Stager Msbuild Activity

Elastic

Process Injection by the Microsoft Build Engine

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1222 File and Directory Permissions Modification 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 16 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1484 Domain or Tenant Policy Modification 14 rules

Comparative authoring view → · attack.mitre.org

Elastic

Splunk

T1484.001 Domain or Tenant Policy Modification: Group Policy Modification 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1197 BITS Jobs 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Bitsadmin Activity

T1134 Access Token Manipulation 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

T1134.001 Access Token Manipulation: Token Impersonation/Theft 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Privilege Escalation via Rogue Named Pipe Impersonation

Splunk

T1134.002 Access Token Manipulation: Create Process with Token 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Process Creation via Secondary Logon

Splunk

Windows Access Token Manipulation SeDebugPrivilege

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1134.003 Access Token Manipulation: Make and Impersonate Token 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Process Creation via Secondary Logon

T1134.004 Access Token Manipulation: Parent PID Spoofing 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

HackTool - PPID Spoofing SelectMyParent Tool Execution

T1134.005 Access Token Manipulation: SID-History Injection 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Addition of SID History to Active Directory Object

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1216 System Script Proxy Execution 13 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1216.001 System Script Proxy Execution: PubPrn 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1553 Subvert Trust Controls 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Renamed BOINC Client Execution

T1553.002 Subvert Trust Controls: Code Signing 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Secure Deletion with SDelete

T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Persistence Via New SIP Provider

Splunk

T1553.004 Subvert Trust Controls: Install Root Certificate 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Registry Certificate Added

T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 10 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1550 Use Alternate Authentication Material 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Outgoing Logon with New Credentials

Elastic

Splunk

T1550.002 Use Alternate Authentication Material: Pass the Hash 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Pass-the-Hash (PtH) Attempt

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1550.003 Use Alternate Authentication Material: Pass the Ticket 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Rubeus Kerberos Ticket Exports Through Winlogon Access

T1207 Rogue Domain Controller 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1211 Exploitation for Defense Evasion 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

ASR Bypassing Writing Executable Content

T1220 XSL Script Processing 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1556 Modify Authentication Process 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Potential Shadow Credentials added to AD Object

Splunk

Disabling Windows Local Security Authority Defences via Registry

T1556.002 Modify Authentication Process: Password Filter DLL 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1620 Reflective Code Loading 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows MMC Loaded Script Engine DLL

T1014 Rootkit 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1542 Pre-OS Boot 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

Windows Registry BootExecute Modification

T1542.001 Pre-OS Boot: System Firmware 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1542.003 Pre-OS Boot: Bootkit 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Splunk

Windows WinLogon with Public Network Connection

T1006 Direct Volume Access 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

T1497.001 Virtualization/Sandbox Evasion: System Checks 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Powershell Detect Virtualization Environment

T1599.001 Network Boundary Bridging: Network Address Translation Traversal 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

WinDivert Driver Load

T1622 Debugger Evasion 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

PUA - Process Hacker Execution

Collection (22 techniques)

T1557 Adversary-in-the-Middle 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 19 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1557.003 Adversary-in-the-Middle: DHCP Spoofing 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation

T1005 Data from Local System 16 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Sqlite Module In Temp Folder

Kusto Query Language

T1113 Screen Capture 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1560 Archive Collected Data 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1560.001 Archive Collected Data: Archive via Utility 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

IcedID Exfiltrated Archived File Creation

T1115 Clipboard Data 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows ClipBoard Data via Get-ClipBoard

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1185 Browser Session Hijacking 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1074.001 Data Staged: Local Data Staging 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Shai-Hulud 2 Exfiltration Artifact Files

T1114 Email Collection 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1114.001 Email Collection: Local Email Collection 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Powershell Local Email Collection

Splunk

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1119 Automated Collection 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1123 Audio Capture 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1025 Data from Removable Media 3 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1039 Data from Network Shared Drive 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Excessive share permissions

T1056 Input Capture 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

DNS Query Request To OneLaunch Update Service

T1056.001 Input Capture: Keylogging 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1056.002 Input Capture: GUI Input Capture 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Input Capture Using Credential UI Dll

T1056.004 Input Capture: Credential API Hooking 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1125 Video Capture 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Suspicious Camera and Microphone Access

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1213 Data from Information Repositories 1 rule

Comparative authoring view → · attack.mitre.org

Elastic

Access to a Sensitive LDAP Attribute

Command & Control (24 techniques)

T1105 Ingress Tool Transfer 69 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1219 Remote Access Tools 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1219.002 Remote Access Tools: Remote Desktop Software 37 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1572 Protocol Tunneling 24 rules

Comparative authoring view → · attack.mitre.org

Splunk

Ngrok Reverse Proxy on Network

Kusto Query Language

T1090 Proxy 16 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Ngrok Reverse Proxy on Network

Kusto Query Language

Ngrok Reverse Proxy on Network (ASIM DNS Solution)

T1090.001 Proxy: Internal Proxy 7 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Proxy Via Registry

T1090.002 Proxy: External Proxy 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1090.003 Proxy: Multi-hop Proxy 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1071 Application Layer Protocol 10 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1071.001 Application Layer Protocol: Web Protocols 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1071.003 Application Layer Protocol: Mail Protocols 3 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1071.004 Application Layer Protocol: DNS 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1102 Web Service 14 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

Ngrok Reverse Proxy on Network (ASIM DNS Solution)

T1102.001 Web Service: Dead Drop Resolver 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1102.002 Web Service: Bidirectional Communication 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Github Self-Hosted Runner Execution

Splunk

Windows DNS Query Request by Telegram Bot API

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1008 Fallback Channels 8 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Windows Outlook Macro Security Modified

Kusto Query Language

T1568 Dynamic Resolution 5 rules

Comparative authoring view → · attack.mitre.org

Kusto Query Language

T1568.002 Dynamic Resolution: Domain Generation Algorithms 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Communication To Ngrok Tunneling Service Initiated

T1132.001 Data Encoding: Standard Encoding 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1571 Non-Standard Port 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Potential beaconing activity (ASIM Network Session schema)

T1001.003 Data Obfuscation: Protocol or Service Impersonation 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1095 Non-Application Layer Protocol 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1573 Encrypted Channel 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Suspicious SSL Connection

Kusto Query Language

Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)

T1573.002 Encrypted Channel: Asymmetric Cryptography 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

Exfiltration (9 techniques)

T1567 Exfiltration Over Web Service 9 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

LOLBAS With Network Traffic

T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository 2 rules

Comparative authoring view → · attack.mitre.org

Sigma

Network Connection Initiated To DevTunnels Domain

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

T1048 Exfiltration Over Alternative Protocol 11 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1048.001 Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

DNS Exfiltration and Tunneling Tools Execution

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1041 Exfiltration Over C2 Channel 6 rules

Comparative authoring view → · attack.mitre.org

Sigma

Network Communication Initiated To Portmap.IO Domain

Splunk

Kusto Query Language

T1020 Automated Exfiltration 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

Deimos Component Execution

T1537 Transfer Data to Cloud Account 1 rule

Comparative authoring view → · attack.mitre.org

Splunk

High Frequency Copy Of Files In Network Share

Impact (14 techniques)

T1490 Inhibit System Recovery 26 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1485 Data Destruction 18 rules

Comparative authoring view → · attack.mitre.org

T1486 Data Encrypted for Impact 15 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

Kusto Query Language

T1489 Service Stop 12 rules

Comparative authoring view → · attack.mitre.org

Sigma

Splunk

T1531 Account Access Removal 5 rules

Comparative authoring view → · attack.mitre.org

Sigma

Elastic

Account Password Reset Remotely

Splunk

T1491 Defacement 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1491.001 Defacement: Internal Defacement 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1496 Resource Hijacking 4 rules

Comparative authoring view → · attack.mitre.org

Sigma

Kusto Query Language

T1529 System Shutdown/Reboot 3 rules

Comparative authoring view → · attack.mitre.org

Sigma

T1561.002 Disk Wipe: Disk Structure Wipe 2 rules

Comparative authoring view → · attack.mitre.org

Splunk

T1499 Endpoint Denial of Service 1 rule

Comparative authoring view → · attack.mitre.org

Kusto Query Language

Excessive number of failed connections from a single source (ASIM Network Session schema)

T1499.004 Endpoint Denial of Service: Application or System Exploitation 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Audit CVE Event

T1565 Data Manipulation 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

Powershell Add Name Resolution Policy Table Rule

T1565.002 Data Manipulation: Transmitted Data Manipulation 1 rule

Comparative authoring view → · attack.mitre.org

Sigma

ISATAP Router Address Was Set