Detection rules

5975 catalog-relevant detection rules from Sigma, Elastic, Splunk, and Kusto: 5974 parsed into the vendor-neutral intermediate representation. Each rule page surfaces predicates, exclusions, and the indicators that other rules share with it.

Status:
Vendor:

Reconnaissance

Gather Victim Identity Information T1589 3 rules
Gather Victim Identity Information: Credentials T1589.001 1 rule
Gather Victim Identity Information: Email Addresses T1589.002 2 rules
Gather Victim Network Information T1590 11 rules
Gather Victim Network Information: Domain Properties T1590.001 1 rule
Gather Victim Network Information: DNS T1590.002 2 rules
Gather Victim Network Information: IP Addresses T1590.005 2 rules
Gather Victim Host Information T1592 6 rules
Gather Victim Host Information: Hardware T1592.001 1 rule
Gather Victim Host Information: Software T1592.002 1 rule
Gather Victim Host Information: Client Configurations T1592.004 1 rule
Search Open Websites/Domains T1593 1 rule
Search Open Websites/Domains: Code Repositories T1593.003 1 rule
Active Scanning T1595 6 rules
Active Scanning: Scanning IP Blocks T1595.001 2 rules
Active Scanning: Vulnerability Scanning T1595.002 1 rule
Phishing for Information T1598 2 rules
Phishing for Information: Spearphishing Attachment T1598.002 2 rules

Resource Development

Compromise Infrastructure T1584 2 rules
Develop Capabilities T1587 15 rules
Develop Capabilities: Malware T1587.001 10 rules
Develop Capabilities: Digital Certificates T1587.003 1 rule
Obtain Capabilities T1588 12 rules
Obtain Capabilities: Tool T1588.002 12 rules
Stage Capabilities T1608 6 rules
Stage Capabilities: Upload Malware T1608.001 1 rule
Stage Capabilities: Upload Tool T1608.002 1 rule

Initial Access

Valid Accounts T1078 67 rules
Valid Accounts: Default Accounts T1078.001 6 rules
Valid Accounts: Domain Accounts T1078.002 20 rules
Valid Accounts: Local Accounts T1078.003 4 rules
Valid Accounts: Cloud Accounts T1078.004 1 rule
Replication Through Removable Media T1091 8 rules
External Remote Services T1133 28 rules
Drive-by Compromise T1189 5 rules
Exploit Public-Facing Application T1190 81 rules
Supply Chain Compromise T1195 34 rules
Supply Chain Compromise: Compromise Software Dependencies and Development Tools T1195.001 1 rule
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 24 rules
Hardware Additions T1200 6 rules
Phishing T1566 83 rules
Phishing: Spearphishing Attachment T1566.001 69 rules
Phishing: Spearphishing Link T1566.002 18 rules

Execution

Windows Management Instrumentation T1047 108 rules
Scheduled Task/Job T1053 133 rules
Scheduled Task/Job: At T1053.002 5 rules
Scheduled Task/Job: Scheduled Task T1053.005 111 rules
Command and Scripting Interpreter T1059 732 rules
Command and Scripting Interpreter: PowerShell T1059.001 406 rules
Command and Scripting Interpreter: AppleScript T1059.002 2 rules
Command and Scripting Interpreter: Windows Command Shell T1059.003 138 rules
Command and Scripting Interpreter: Unix Shell T1059.004 11 rules
Command and Scripting Interpreter: Visual Basic T1059.005 57 rules
Command and Scripting Interpreter: Python T1059.006 11 rules
Command and Scripting Interpreter: JavaScript T1059.007 45 rules
Command and Scripting Interpreter: Cloud API T1059.009 1 rule
Command and Scripting Interpreter: AutoHotKey & AutoIT T1059.010 1 rule
Software Deployment Tools T1072 11 rules
Native API T1106 20 rules
Trusted Developer Utilities Proxy Execution T1127 54 rules
Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 20 rules
Trusted Developer Utilities Proxy Execution: ClickOnce T1127.002 1 rule
Shared Modules T1129 11 rules
BITS Jobs T1197 28 rules
Exploitation for Client Execution T1203 44 rules
User Execution T1204 143 rules
User Execution: Malicious Link T1204.001 8 rules
User Execution: Malicious File T1204.002 103 rules
User Execution: Malicious Copy and Paste T1204.004 8 rules
Inter-Process Communication T1559 24 rules
Inter-Process Communication: Component Object Model T1559.001 16 rules
Inter-Process Communication: Dynamic Data Exchange T1559.002 1 rule
System Services T1569 88 rules
System Services: Service Execution T1569.002 76 rules
Hijack Execution Flow T1574 183 rules
Hijack Execution Flow: DLL T1574.001 118 rules
Hijack Execution Flow: DLL Side-Loading T1574.002 10 rules
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005 2 rules
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 2 rules
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 5 rules
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 6 rules
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 4 rules
Hijack Execution Flow: Services File Permissions Weakness T1574.010 6 rules
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 17 rules
Hijack Execution Flow: COR_PROFILER T1574.012 2 rules
Hijack Execution Flow: AppDomainManager T1574.014 1 rule

Persistence

Boot or Logon Initialization Scripts T1037 10 rules
Boot or Logon Initialization Scripts: Logon Script (Windows) T1037.001 8 rules
Scheduled Task/Job T1053 133 rules
Scheduled Task/Job: At T1053.002 5 rules
Scheduled Task/Job: Scheduled Task T1053.005 111 rules
Valid Accounts T1078 67 rules
Valid Accounts: Default Accounts T1078.001 6 rules
Valid Accounts: Domain Accounts T1078.002 20 rules
Valid Accounts: Local Accounts T1078.003 4 rules
Valid Accounts: Cloud Accounts T1078.004 1 rule
Account Manipulation T1098 113 rules
Account Manipulation: Additional Email Delegate Permissions T1098.002 1 rule
Account Manipulation: Additional Local or Domain Groups T1098.007 1 rule
Modify Registry T1112 251 rules
External Remote Services T1133 28 rules
Create Account T1136 44 rules
Create Account: Local Account T1136.001 27 rules
Create Account: Domain Account T1136.002 18 rules
Create Account: Cloud Account T1136.003 1 rule
Office Application Startup T1137 21 rules
Office Application Startup: Office Test T1137.002 2 rules
Office Application Startup: Outlook Forms T1137.003 1 rule
Office Application Startup: Outlook Home Page T1137.004 1 rule
Office Application Startup: Add-ins T1137.006 5 rules
Software Extensions T1176 6 rules
Software Extensions: Browser Extensions T1176.001 4 rules
BITS Jobs T1197 28 rules
Server Software Component T1505 66 rules
Server Software Component: SQL Stored Procedures T1505.001 12 rules
Server Software Component: Transport Agent T1505.002 3 rules
Server Software Component: Web Shell T1505.003 30 rules
Server Software Component: IIS Components T1505.004 20 rules
Server Software Component: Terminal Services DLL T1505.005 1 rule
Pre-OS Boot T1542 8 rules
Pre-OS Boot: System Firmware T1542.001 3 rules
Pre-OS Boot: Bootkit T1542.003 3 rules
Create or Modify System Process T1543 135 rules
Create or Modify System Process: Launch Agent T1543.001 1 rule
Create or Modify System Process: Systemd Service T1543.002 2 rules
Create or Modify System Process: Windows Service T1543.003 108 rules
Create or Modify System Process: Launch Daemon T1543.004 1 rule
Event Triggered Execution T1546 139 rules
Event Triggered Execution: Change Default File Association T1546.001 7 rules
Event Triggered Execution: Screensaver T1546.002 6 rules
Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 23 rules
Event Triggered Execution: Netsh Helper DLL T1546.007 7 rules
Event Triggered Execution: Accessibility Features T1546.008 22 rules
Event Triggered Execution: AppCert DLLs T1546.009 5 rules
Event Triggered Execution: AppInit DLLs T1546.010 3 rules
Event Triggered Execution: Application Shimming T1546.011 11 rules
Event Triggered Execution: Image File Execution Options Injection T1546.012 10 rules
Event Triggered Execution: PowerShell Profile T1546.013 3 rules
Event Triggered Execution: Component Object Model Hijacking T1546.015 22 rules
Boot or Logon Autostart Execution T1547 154 rules
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 84 rules
Boot or Logon Autostart Execution: Authentication Package T1547.002 7 rules
Boot or Logon Autostart Execution: Time Providers T1547.003 3 rules
Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 7 rules
Boot or Logon Autostart Execution: Security Support Provider T1547.005 5 rules
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 2 rules
Boot or Logon Autostart Execution: LSASS Driver T1547.008 4 rules
Boot or Logon Autostart Execution: Shortcut Modification T1547.009 10 rules
Boot or Logon Autostart Execution: Port Monitors T1547.010 11 rules
Boot or Logon Autostart Execution: Print Processors T1547.012 8 rules
Boot or Logon Autostart Execution: Active Setup T1547.014 4 rules
Boot or Logon Autostart Execution: Login Items T1547.015 1 rule
Compromise Host Software Binary T1554 15 rules
Modify Authentication Process T1556 14 rules
Modify Authentication Process: Password Filter DLL T1556.002 5 rules
Modify Authentication Process: Hybrid Identity T1556.007 1 rule
Modify Authentication Process: Network Provider DLL T1556.008 1 rule

Privilege Escalation

Boot or Logon Initialization Scripts T1037 10 rules
Boot or Logon Initialization Scripts: Logon Script (Windows) T1037.001 8 rules
Scheduled Task/Job T1053 133 rules
Scheduled Task/Job: At T1053.002 5 rules
Scheduled Task/Job: Scheduled Task T1053.005 111 rules
Process Injection T1055 125 rules
Process Injection: Dynamic-link Library Injection T1055.001 19 rules
Process Injection: Portable Executable Injection T1055.002 6 rules
Process Injection: Thread Execution Hijacking T1055.003 3 rules
Process Injection: Asynchronous Procedure Call T1055.004 1 rule
Process Injection: Extra Window Memory Injection T1055.011 1 rule
Process Injection: Process Hollowing T1055.012 10 rules
Process Injection: Process Doppelgänging T1055.013 1 rule
Exploitation for Privilege Escalation T1068 62 rules
Valid Accounts T1078 67 rules
Valid Accounts: Default Accounts T1078.001 6 rules
Valid Accounts: Domain Accounts T1078.002 20 rules
Valid Accounts: Local Accounts T1078.003 4 rules
Valid Accounts: Cloud Accounts T1078.004 1 rule
Account Manipulation T1098 113 rules
Account Manipulation: Additional Email Delegate Permissions T1098.002 1 rule
Account Manipulation: Additional Local or Domain Groups T1098.007 1 rule
Access Token Manipulation T1134 49 rules
Access Token Manipulation: Token Impersonation/Theft T1134.001 18 rules
Access Token Manipulation: Create Process with Token T1134.002 16 rules
Access Token Manipulation: Make and Impersonate Token T1134.003 4 rules
Access Token Manipulation: Parent PID Spoofing T1134.004 6 rules
Access Token Manipulation: SID-History Injection T1134.005 6 rules
Domain or Tenant Policy Modification T1484 33 rules
Domain or Tenant Policy Modification: Group Policy Modification T1484.001 20 rules
Create or Modify System Process T1543 135 rules
Create or Modify System Process: Launch Agent T1543.001 1 rule
Create or Modify System Process: Systemd Service T1543.002 2 rules
Create or Modify System Process: Windows Service T1543.003 108 rules
Create or Modify System Process: Launch Daemon T1543.004 1 rule
Event Triggered Execution T1546 139 rules
Event Triggered Execution: Change Default File Association T1546.001 7 rules
Event Triggered Execution: Screensaver T1546.002 6 rules
Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 23 rules
Event Triggered Execution: Netsh Helper DLL T1546.007 7 rules
Event Triggered Execution: Accessibility Features T1546.008 22 rules
Event Triggered Execution: AppCert DLLs T1546.009 5 rules
Event Triggered Execution: AppInit DLLs T1546.010 3 rules
Event Triggered Execution: Application Shimming T1546.011 11 rules
Event Triggered Execution: Image File Execution Options Injection T1546.012 10 rules
Event Triggered Execution: PowerShell Profile T1546.013 3 rules
Event Triggered Execution: Component Object Model Hijacking T1546.015 22 rules
Boot or Logon Autostart Execution T1547 154 rules
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 84 rules
Boot or Logon Autostart Execution: Authentication Package T1547.002 7 rules
Boot or Logon Autostart Execution: Time Providers T1547.003 3 rules
Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 7 rules
Boot or Logon Autostart Execution: Security Support Provider T1547.005 5 rules
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 2 rules
Boot or Logon Autostart Execution: LSASS Driver T1547.008 4 rules
Boot or Logon Autostart Execution: Shortcut Modification T1547.009 10 rules
Boot or Logon Autostart Execution: Port Monitors T1547.010 11 rules
Boot or Logon Autostart Execution: Print Processors T1547.012 8 rules
Boot or Logon Autostart Execution: Active Setup T1547.014 4 rules
Boot or Logon Autostart Execution: Login Items T1547.015 1 rule
Abuse Elevation Control Mechanism T1548 120 rules
Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 104 rules
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 1 rule
Escape to Host T1611 2 rules

Stealth

Direct Volume Access T1006 3 rules
Rootkit T1014 2 rules
Obfuscated Files or Information T1027 200 rules
Obfuscated Files or Information: Binary Padding T1027.001 4 rules
Obfuscated Files or Information: Software Packing T1027.002 1 rule
Obfuscated Files or Information: Steganography T1027.003 1 rule
Obfuscated Files or Information: Compile After Delivery T1027.004 12 rules
Obfuscated Files or Information: Indicator Removal from Tools T1027.005 6 rules
Obfuscated Files or Information: HTML Smuggling T1027.006 1 rule
Obfuscated Files or Information: Embedded Payloads T1027.009 2 rules
Obfuscated Files or Information: Command Obfuscation T1027.010 30 rules
Obfuscated Files or Information: Fileless Storage T1027.011 3 rules
Obfuscated Files or Information: Encrypted/Encoded File T1027.013 2 rules
Obfuscated Files or Information: Compression T1027.015 1 rule
Masquerading T1036 202 rules
Masquerading: Invalid Code Signature T1036.001 15 rules
Masquerading: Right-to-Left Override T1036.002 6 rules
Masquerading: Rename Legitimate Utilities T1036.003 50 rules
Masquerading: Masquerade Task or Service T1036.004 11 rules
Masquerading: Match Legitimate Resource Name or Location T1036.005 50 rules
Masquerading: Double File Extension T1036.007 6 rules
Masquerading: Masquerade File Type T1036.008 4 rules
Masquerading: Break Process Trees T1036.009 3 rules
Process Injection T1055 125 rules
Process Injection: Dynamic-link Library Injection T1055.001 19 rules
Process Injection: Portable Executable Injection T1055.002 6 rules
Process Injection: Thread Execution Hijacking T1055.003 3 rules
Process Injection: Asynchronous Procedure Call T1055.004 1 rule
Process Injection: Extra Window Memory Injection T1055.011 1 rule
Process Injection: Process Hollowing T1055.012 10 rules
Process Injection: Process Doppelgänging T1055.013 1 rule
Indicator Removal T1070 87 rules
Indicator Removal: Clear Windows Event Logs T1070.001 11 rules
Indicator Removal: Clear Command History T1070.003 10 rules
Indicator Removal: File Deletion T1070.004 24 rules
Indicator Removal: Network Share Connection Removal T1070.005 6 rules
Indicator Removal: Timestomp T1070.006 9 rules
Indicator Removal: Clear Mailbox Data T1070.008 1 rule
Valid Accounts T1078 67 rules
Valid Accounts: Default Accounts T1078.001 6 rules
Valid Accounts: Domain Accounts T1078.002 20 rules
Valid Accounts: Local Accounts T1078.003 4 rules
Valid Accounts: Cloud Accounts T1078.004 1 rule
Trusted Developer Utilities Proxy Execution T1127 54 rules
Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 20 rules
Trusted Developer Utilities Proxy Execution: ClickOnce T1127.002 1 rule
Access Token Manipulation T1134 49 rules
Access Token Manipulation: Token Impersonation/Theft T1134.001 18 rules
Access Token Manipulation: Create Process with Token T1134.002 16 rules
Access Token Manipulation: Make and Impersonate Token T1134.003 4 rules
Access Token Manipulation: Parent PID Spoofing T1134.004 6 rules
Access Token Manipulation: SID-History Injection T1134.005 6 rules
Deobfuscate/Decode Files or Information T1140 44 rules
BITS Jobs T1197 28 rules
Indirect Command Execution T1202 62 rules
Exploitation for Stealth T1211 9 rules
System Script Proxy Execution T1216 19 rules
System Script Proxy Execution: PubPrn T1216.001 2 rules
System Binary Proxy Execution T1218 526 rules
System Binary Proxy Execution: Compiled HTML File T1218.001 22 rules
System Binary Proxy Execution: Control Panel T1218.002 10 rules
System Binary Proxy Execution: CMSTP T1218.003 23 rules
System Binary Proxy Execution: InstallUtil T1218.004 16 rules
System Binary Proxy Execution: Mshta T1218.005 51 rules
System Binary Proxy Execution: Msiexec T1218.007 50 rules
System Binary Proxy Execution: Odbcconf T1218.008 17 rules
System Binary Proxy Execution: Regsvcs/Regasm T1218.009 17 rules
System Binary Proxy Execution: Regsvr32 T1218.010 48 rules
System Binary Proxy Execution: Rundll32 T1218.011 121 rules
System Binary Proxy Execution: Verclsid T1218.012 1 rule
System Binary Proxy Execution: Mavinject T1218.013 3 rules
System Binary Proxy Execution: MMC T1218.014 22 rules
XSL Script Processing T1220 14 rules
Template Injection T1221 1 rule
Virtualization/Sandbox Evasion T1497 14 rules
Virtualization/Sandbox Evasion: System Checks T1497.001 3 rules
Virtualization/Sandbox Evasion: Time Based Checks T1497.003 4 rules
Pre-OS Boot T1542 8 rules
Pre-OS Boot: System Firmware T1542.001 3 rules
Pre-OS Boot: Bootkit T1542.003 3 rules
Impair Defenses T1562 92 rules
Impair Defenses: Disable or Modify Tools T1562.001 42 rules
Impair Defenses: Disable Windows Event Logging T1562.002 9 rules
Impair Defenses: Disable or Modify System Firewall T1562.004 20 rules
Impair Defenses: Indicator Blocking T1562.006 5 rules
Impair Defenses: Downgrade Attack T1562.010 3 rules
Hide Artifacts T1564 96 rules
Hide Artifacts: Hidden Files and Directories T1564.001 11 rules
Hide Artifacts: Hidden Users T1564.002 6 rules
Hide Artifacts: Hidden Window T1564.003 13 rules
Hide Artifacts: NTFS File Attributes T1564.004 33 rules
Hide Artifacts: Run Virtual Instance T1564.006 8 rules
Hide Artifacts: Email Hiding Rules T1564.008 2 rules
Hijack Execution Flow T1574 183 rules
Hijack Execution Flow: DLL T1574.001 118 rules
Hijack Execution Flow: DLL Side-Loading T1574.002 10 rules
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005 2 rules
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 2 rules
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 5 rules
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 6 rules
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 4 rules
Hijack Execution Flow: Services File Permissions Weakness T1574.010 6 rules
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 17 rules
Hijack Execution Flow: COR_PROFILER T1574.012 2 rules
Hijack Execution Flow: AppDomainManager T1574.014 1 rule
Reflective Code Loading T1620 4 rules
Debugger Evasion T1622 1 rule

Defense Impairment

Modify Registry T1112 251 rules
Rogue Domain Controller T1207 7 rules
File and Directory Permissions Modification T1222 50 rules
File and Directory Permissions Modification: Windows Permissions T1222.001 41 rules
Domain or Tenant Policy Modification T1484 33 rules
Domain or Tenant Policy Modification: Group Policy Modification T1484.001 20 rules
Subvert Trust Controls T1553 38 rules
Subvert Trust Controls: Code Signing T1553.002 3 rules
Subvert Trust Controls: SIP and Trust Provider Hijacking T1553.003 6 rules
Subvert Trust Controls: Install Root Certificate T1553.004 11 rules
Subvert Trust Controls: Mark-of-the-Web Bypass T1553.005 13 rules
Subvert Trust Controls: Code Signing Policy Modification T1553.006 2 rules
Modify Authentication Process T1556 14 rules
Modify Authentication Process: Password Filter DLL T1556.002 5 rules
Modify Authentication Process: Hybrid Identity T1556.007 1 rule
Modify Authentication Process: Network Provider DLL T1556.008 1 rule
Network Boundary Bridging T1599 1 rule
Network Boundary Bridging: Network Address Translation Traversal T1599.001 1 rule
Disable or Modify Tools T1685 274 rules
Disable or Modify Tools: Disable or Modify Windows Event Log T1685.001 40 rules
Disable or Modify Tools: Clear Windows Event Logs T1685.005 12 rules
Disable or Modify System Firewall T1686 28 rules
Disable or Modify System Firewall: Cloud Firewall T1686.001 2 rules
Disable or Modify System Firewall: Windows Host Firewall T1686.003 20 rules
Safe Mode Boot T1688 1 rule
Downgrade Attack T1689 2 rules

Credential Access

OS Credential Dumping T1003 313 rules
OS Credential Dumping: LSASS Memory T1003.001 149 rules
OS Credential Dumping: Security Account Manager T1003.002 48 rules
OS Credential Dumping: NTDS T1003.003 54 rules
OS Credential Dumping: LSA Secrets T1003.004 16 rules
OS Credential Dumping: Cached Domain Credentials T1003.005 13 rules
OS Credential Dumping: DCSync T1003.006 19 rules
OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 1 rule
Network Sniffing T1040 9 rules
Input Capture T1056 10 rules
Input Capture: Keylogging T1056.001 3 rules
Input Capture: GUI Input Capture T1056.002 3 rules
Input Capture: Credential API Hooking T1056.004 4 rules
Brute Force T1110 45 rules
Brute Force: Password Guessing T1110.001 10 rules
Brute Force: Password Cracking T1110.002 1 rule
Brute Force: Password Spraying T1110.003 26 rules
Brute Force: Credential Stuffing T1110.004 1 rule
Forced Authentication T1187 21 rules
Exploitation for Credential Access T1212 6 rules
Steal Application Access Token T1528 5 rules
Steal Web Session Cookie T1539 3 rules
Unsecured Credentials T1552 67 rules
Unsecured Credentials: Credentials In Files T1552.001 30 rules
Unsecured Credentials: Credentials in Registry T1552.002 10 rules
Unsecured Credentials: Private Keys T1552.004 15 rules
Unsecured Credentials: Group Policy Preferences T1552.006 6 rules
Credentials from Password Stores T1555 44 rules
Credentials from Password Stores: Credentials from Web Browsers T1555.003 17 rules
Credentials from Password Stores: Windows Credential Manager T1555.004 9 rules
Credentials from Password Stores: Password Managers T1555.005 2 rules
Modify Authentication Process T1556 14 rules
Modify Authentication Process: Password Filter DLL T1556.002 5 rules
Modify Authentication Process: Hybrid Identity T1556.007 1 rule
Modify Authentication Process: Network Provider DLL T1556.008 1 rule
Adversary-in-the-Middle T1557 37 rules
Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 25 rules
Adversary-in-the-Middle: DHCP Spoofing T1557.003 1 rule
Steal or Forge Kerberos Tickets T1558 67 rules
Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 10 rules
Steal or Forge Kerberos Tickets: Silver Ticket T1558.002 7 rules
Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 32 rules
Steal or Forge Kerberos Tickets: AS-REP Roasting T1558.004 8 rules
Steal or Forge Authentication Certificates T1649 25 rules

Discovery

System Service Discovery T1007 17 rules
Application Window Discovery T1010 2 rules
Query Registry T1012 31 rules
System Network Configuration Discovery T1016 43 rules
System Network Configuration Discovery: Internet Connection Discovery T1016.001 5 rules
Remote System Discovery T1018 66 rules
System Owner/User Discovery T1033 55 rules
Network Sniffing T1040 9 rules
Network Service Discovery T1046 31 rules
System Network Connections Discovery T1049 22 rules
Process Discovery T1057 18 rules
Permission Groups Discovery T1069 89 rules
Permission Groups Discovery: Local Groups T1069.001 37 rules
Permission Groups Discovery: Domain Groups T1069.002 66 rules
Permission Groups Discovery: Cloud Groups T1069.003 1 rule
System Information Discovery T1082 64 rules
File and Directory Discovery T1083 17 rules
Account Discovery T1087 132 rules
Account Discovery: Local Account T1087.001 38 rules
Account Discovery: Domain Account T1087.002 84 rules
Account Discovery: Email Account T1087.003 1 rule
Peripheral Device Discovery T1120 5 rules
System Time Discovery T1124 5 rules
Network Share Discovery T1135 28 rules
Password Policy Discovery T1201 17 rules
Browser Information Discovery T1217 4 rules
Domain Trust Discovery T1482 53 rules
Virtualization/Sandbox Evasion T1497 14 rules
Virtualization/Sandbox Evasion: System Checks T1497.001 3 rules
Virtualization/Sandbox Evasion: Time Based Checks T1497.003 4 rules
Software Discovery T1518 22 rules
Software Discovery: Security Software Discovery T1518.001 12 rules
Cloud Service Discovery T1526 1 rule
System Location Discovery T1614 6 rules
System Location Discovery: System Language Discovery T1614.001 4 rules
Group Policy Discovery T1615 9 rules
Debugger Evasion T1622 1 rule
Log Enumeration T1654 1 rule

Lateral Movement

Remote Services T1021 242 rules
Remote Services: Remote Desktop Protocol T1021.001 57 rules
Remote Services: SMB/Windows Admin Shares T1021.002 97 rules
Remote Services: Distributed Component Object Model T1021.003 38 rules
Remote Services: SSH T1021.004 10 rules
Remote Services: VNC T1021.005 1 rule
Remote Services: Windows Remote Management T1021.006 31 rules
Remote Services: Cloud Services T1021.007 1 rule
Software Deployment Tools T1072 11 rules
Taint Shared Content T1080 2 rules
Replication Through Removable Media T1091 8 rules
Exploitation of Remote Services T1210 27 rules
Use Alternate Authentication Material T1550 29 rules
Use Alternate Authentication Material: Pass the Hash T1550.002 13 rules
Use Alternate Authentication Material: Pass the Ticket T1550.003 10 rules
Remote Service Session Hijacking T1563 8 rules
Remote Service Session Hijacking: RDP Hijacking T1563.002 8 rules
Lateral Tool Transfer T1570 33 rules

Collection

Data from Local System T1005 26 rules
Data from Removable Media T1025 4 rules
Data from Network Shared Drive T1039 9 rules
Input Capture T1056 10 rules
Input Capture: Keylogging T1056.001 3 rules
Input Capture: GUI Input Capture T1056.002 3 rules
Input Capture: Credential API Hooking T1056.004 4 rules
Data Staged T1074 17 rules
Data Staged: Local Data Staging T1074.001 14 rules
Data Staged: Remote Data Staging T1074.002 1 rule
Screen Capture T1113 18 rules
Email Collection T1114 13 rules
Email Collection: Local Email Collection T1114.001 8 rules
Email Collection: Remote Email Collection T1114.002 3 rules
Email Collection: Email Forwarding Rule T1114.003 2 rules
Clipboard Data T1115 9 rules
Automated Collection T1119 16 rules
Audio Capture T1123 4 rules
Video Capture T1125 4 rules
Browser Session Hijacking T1185 11 rules
Data from Information Repositories T1213 2 rules
Data from Cloud Storage T1530 1 rule
Adversary-in-the-Middle T1557 37 rules
Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 25 rules
Adversary-in-the-Middle: DHCP Spoofing T1557.003 1 rule
Archive Collected Data T1560 34 rules
Archive Collected Data: Archive via Utility T1560.001 24 rules
Archive Collected Data: Archive via Library T1560.002 1 rule

Command & Control

Data Obfuscation T1001 5 rules
Data Obfuscation: Protocol or Service Impersonation T1001.003 2 rules
Fallback Channels T1008 9 rules
Application Layer Protocol T1071 78 rules
Application Layer Protocol: Web Protocols T1071.001 27 rules
Application Layer Protocol: File Transfer Protocols T1071.002 6 rules
Application Layer Protocol: Mail Protocols T1071.003 3 rules
Application Layer Protocol: DNS T1071.004 25 rules
Proxy T1090 39 rules
Proxy: Internal Proxy T1090.001 9 rules
Proxy: External Proxy T1090.002 4 rules
Proxy: Multi-hop Proxy T1090.003 4 rules
Proxy: Domain Fronting T1090.004 1 rule
Non-Application Layer Protocol T1095 11 rules
Web Service T1102 21 rules
Web Service: Dead Drop Resolver T1102.001 3 rules
Web Service: Bidirectional Communication T1102.002 6 rules
Ingress Tool Transfer T1105 191 rules
Data Encoding T1132 11 rules
Data Encoding: Standard Encoding T1132.001 5 rules
Remote Access Tools T1219 84 rules
Remote Access Tools: Remote Desktop Software T1219.002 45 rules
Dynamic Resolution T1568 8 rules
Dynamic Resolution: Domain Generation Algorithms T1568.002 2 rules
Non-Standard Port T1571 4 rules
Protocol Tunneling T1572 54 rules
Encrypted Channel T1573 6 rules
Encrypted Channel: Asymmetric Cryptography T1573.002 1 rule

Exfiltration

Exfiltration Over Other Network Medium T1011 1 rule
Automated Exfiltration T1020 10 rules
Scheduled Transfer T1029 1 rule
Data Transfer Size Limits T1030 3 rules
Exfiltration Over C2 Channel T1041 14 rules
Exfiltration Over Alternative Protocol T1048 47 rules
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001 1 rule
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 18 rules
Exfiltration Over Physical Medium T1052 1 rule
Exfiltration Over Physical Medium: Exfiltration over USB T1052.001 1 rule
Transfer Data to Cloud Account T1537 1 rule
Exfiltration Over Web Service T1567 39 rules
Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 3 rules
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 19 rules
Exfiltration Over Web Service: Exfiltration to Text Storage Sites T1567.003 1 rule

Impact

Data Destruction T1485 28 rules
Data Encrypted for Impact T1486 28 rules
Service Stop T1489 29 rules
Inhibit System Recovery T1490 56 rules
Defacement T1491 6 rules
Defacement: Internal Defacement T1491.001 4 rules
Resource Hijacking T1496 7 rules
Network Denial of Service T1498 1 rule
Endpoint Denial of Service T1499 5 rules
Endpoint Denial of Service: Application or System Exploitation T1499.004 1 rule
System Shutdown/Reboot T1529 7 rules
Account Access Removal T1531 10 rules
Disk Wipe T1561 2 rules
Disk Wipe: Disk Structure Wipe T1561.002 2 rules
Data Manipulation T1565 3 rules
Data Manipulation: Stored Data Manipulation T1565.001 1 rule
Data Manipulation: Transmitted Data Manipulation T1565.002 1 rule

Uncategorized

T0136 T0136 2 rules

Untagged