MITRE ATT&CK coverage
| Tactic | Techniques |
|---|
| Persistence | T1505.005 Server Software Component: Terminal Services DLL, T1546.007 Event Triggered Execution: Netsh Helper DLL, T1546.008 Event Triggered Execution: Accessibility Features, T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.002 Boot or Logon Autostart Execution: Authentication Package, T1547.010 Boot or Logon Autostart Execution: Port Monitors, T1547.014 Boot or Logon Autostart Execution: Active Setup, T1556.002 Modify Authentication Process: Password Filter DLL, T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable |
| Privilege Escalation | T1546.007 Event Triggered Execution: Netsh Helper DLL, T1546.008 Event Triggered Execution: Accessibility Features, T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.002 Boot or Logon Autostart Execution: Authentication Package, T1547.010 Boot or Logon Autostart Execution: Port Monitors, T1547.014 Boot or Logon Autostart Execution: Active Setup, T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable |
| Defense Evasion | T1556.002 Modify Authentication Process: Password Filter DLL, T1562 Impair Defenses, T1562.002 Impair Defenses: Disable Windows Event Logging, T1564.002 Hide Artifacts: Hidden Users, T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable |
| Credential Access | T1556.002 Modify Authentication Process: Password Filter DLL, T1557 Adversary-in-the-Middle |
| Discovery | T1082 System Information Discovery |
| Collection | T1557 Adversary-in-the-Middle |
Stages and Predicates
Stage 1: selection_img
or:
Image|endswith: '\secedit.exe'
OriginalFileName: SeCEdit
Stage 2: 1 of selection_flags_discovery
CommandLine|contains: '/cfg'
CommandLine|contains: '/export'
Stage 3: 1 of selection_flags_configure
CommandLine|contains: '/configure'
CommandLine|contains: '/db'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.