security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4989d43ae97015f8113aed2efcd49d288b8fec21
blue-team-tools/other/sigma_attack_nav_coverage.json
T
AaronHerman 2a595eda60 update MITRE ATT&CK Navigator export
2022-08-20 11:50:25 -05:00

1676 lines
143 KiB
JSON
Raw Blame History

{
"name": "Sigma rules heatmap",
"versions": {
"attack": "10",
"navigator": "4.4.4",
"layer": "4.2"
},
"domain": "enterprise-attack",
"description": "Sigma rules heatmap. Accurate as of commit 3989de3bf98f075326afe75da6aa18e836d43fe4",
"gradient": {
"colors": [
"#66b1ffff",
"#ff66f4ff",
"#ff6666ff"
],
"maxValue": 174,
"minValue": 0
},
"techniques": [
{
"techniqueID": "T1037.005",
"score": 1,
"comment": "file_event_macos_startup_items.yml"
},
{
"techniqueID": "T1546.014",
"score": 1,
"comment": "file_event_macos_emond_launch_daemon.yml"
},
{
"techniqueID": "T1059.002",
"score": 1,
"comment": "proc_creation_macos_applescript.yml"
},
{
"techniqueID": "T1552.001",
"score": 14,
"comment": "proc_creation_macos_find_cred_in_files.yml\nproxy_ios_implant.yml\ncisco_cli_collect_data.yml\nlnx_auditd_find_cred_in_files.yml\nproc_creation_lnx_susp_recon_indicators.yml\nazure_keyvault_key_modified_or_deleted.yml\nazure_keyvault_modified_or_deleted.yml\nazure_keyvault_secrets_modified_or_deleted.yml\nfile_event_win_hivenightmare_file_exports.yml\nfile_event_win_access_susp_unattend_xml.yml\nposh_ps_susp_extracting.yml\nproc_creation_win_apt_bear_activity_gtr19.yml\nproc_creation_win_automated_collection.yml\nproc_creation_win_lolbin_findstr.yml"
},
{
"techniqueID": "T1087.001",
"score": 10,
"comment": "proc_creation_macos_local_account.yml\ncisco_cli_collect_data.yml\nproc_creation_lnx_local_account.yml\nfile_event_bloodhound_collection.yml\nposh_ps_azurehound_commands.yml\nproc_creation_win_susp_psloglist.yml\nproc_creation_win_local_system_owner_account_discovery.yml\nproc_creation_win_susp_recon_activity.yml\nproc_creation_win_hack_bloodhound.yml\nproc_creation_win_susp_net_execution.yml"
},
{
"techniqueID": "T1070.002",
"score": 3,
"comment": "proc_creation_macos_clear_system_logs.yml\nproc_creation_lnx_clear_syslog.yml\nproc_creation_lnx_clear_logs.yml"
},
{
"techniqueID": "T1049",
"score": 8,
"comment": "proc_creation_macos_system_network_connections_discovery.yml\ncisco_cli_discovery.yml\nproc_creation_lnx_system_network_connections_discovery.yml\nposh_pc_susp_get_nettcpconnection.yml\nposh_pm_susp_get_nettcpconnection.yml\nproc_creation_win_susp_sharpview.yml\nproc_creation_win_susp_net_execution.yml\nproc_creation_win_susp_network_listing_connections.yml"
},
{
"techniqueID": "T1070.006",
"score": 5,
"comment": "proc_creation_macos_change_file_time_attr.yml\nlnx_auditd_change_file_time_attr.yml\nposh_ps_timestomp.yml\nwin_susp_time_modification.yml\nfile_change_win_2022_timestomping.yml"
},
{
"techniqueID": "T1016",
"score": 8,
"comment": "proc_creation_macos_system_network_discovery.yml\ncisco_cli_discovery.yml\napt_silence_downloader_v3.yml\nproc_creation_lnx_system_network_discovery.yml\nproc_creation_win_nltest_recon.yml\nproc_creation_win_susp_netsh_command.yml\nproc_creation_win_susp_network_command.yml\nwin_lolbas_execution_of_nltest.yml"
},
{
"techniqueID": "T1564.002",
"score": 2,
"comment": "proc_creation_macos_create_hidden_account.yml\nregistry_set_special_accounts.yml"
},
{
"techniqueID": "T1553.001",
"score": 1,
"comment": "proc_creation_macos_xattr_gatekeeper_bypass.yml"
},
{
"techniqueID": "T1027",
"score": 81,
"comment": "proc_creation_macos_base64_decode.yml\nproc_creation_lnx_base64_decode.yml\nfile_event_win_redmimicry_winnti_filedrop.yml\nfile_event_win_susp_get_variable.yml\nposh_ps_invoke_obfuscation_obfuscated_iex.yml\nposh_ps_invoke_obfuscation_clip.yml\nposh_ps_invoke_obfuscation_via_use_mhsta.yml\nposh_ps_invoke_obfuscation_via_stdin.yml\nposh_ps_invoke_obfuscation_via_use_clip.yml\nposh_ps_invoke_obfuscation_stdin.yml\nposh_ps_invoke_obfuscation_via_var.yml\nposh_ps_invoke_obfuscation_via_compress.yml\nposh_ps_invoke_obfuscation_via_use_rundll32.yml\nposh_ps_invoke_obfuscation_via_rundll.yml\nposh_ps_invoke_obfuscation_var.yml\nposh_pm_invoke_obfuscation_var.yml\nposh_pm_invoke_obfuscation_obfuscated_iex.yml\nposh_pm_invoke_obfuscation_via_use_clip.yml\nposh_pm_invoke_obfuscation_via_use_rundll32.yml\nposh_pm_invoke_obfuscation_via_rundll.yml\nposh_pm_invoke_obfuscation_via_compress.yml\nposh_pm_invoke_obfuscation_via_use_mhsta.yml\nposh_pm_invoke_obfuscation_stdin.yml\nposh_pm_invoke_obfuscation_via_stdin.yml\nposh_pm_invoke_obfuscation_clip.yml\nposh_pm_invoke_obfuscation_via_var.yml\nproc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml\nproc_creation_win_powershell_cmdline_specific_comb_methods.yml\nproc_creation_win_susp_powershell_encoded_param.yml\nproc_creation_win_invoke_obfuscation_stdin.yml\nproc_creation_win_invoke_obfuscation_via_use_rundll32.yml\nproc_creation_win_susp_base64_load.yml\nproc_creation_win_powershell_cmdline_convertto_securestring.yml\nproc_creation_win_susp_ping_hex_ip.yml\nproc_creation_win_apt_wocao.yml\nproc_creation_win_invoke_obfuscation_via_compress.yml\nproc_creation_win_malware_emotet.yml\nproc_creation_win_invoke_obfuscation_via_use_mhsta.yml\nproc_creation_win_base64_invoke_susp_cmdlets.yml\nproc_creation_win_susp_char_in_cmd.yml\nproc_creation_win_apt_turla_comrat_may20.yml\nproc_creation_win_powershell_frombase64string.yml\nproc_creation_win_base64_reflective_assembly_load.yml\nproc_creation_win_base64_listing_shadowcopy.yml\nproc_creation_win_invoke_obfuscation_via_rundll.yml\nproc_creation_win_invoke_obfuscation_var.yml\nproc_creation_win_invoke_obfuscation_via_use_clip.yml\nproc_creation_win_susp_base64_invoke.yml\nproc_creation_win_powershell_cmdline_special_characters.yml\nproc_creation_win_invoke_obfuscation_via_stdin.yml\nproc_creation_win_powershell_xor_commandline.yml\nproc_creation_win_powershell_cmdline_susp_comb_methods.yml\nproc_creation_win_powershell_cmdline_reversed_strings.yml\nproc_creation_win_powershell_b64_shellcode.yml\nproc_creation_win_invoke_obfuscation_via_var.yml\nproc_creation_win_susp_certutil_encode.yml\nproc_creation_win_invoke_obfuscation_clip.yml\nwin_invoke_obfuscation_via_compress_services_security.yml\nwin_invoke_obfuscation_via_rundll_services_security.yml\nwin_invoke_obfuscation_var_services_security.yml\nwin_invoke_obfuscation_via_use_mshta_services_security.yml\nwin_invoke_obfuscation_clip_services_security.yml\nwin_invoke_obfuscation_obfuscated_iex_services_security.yml\nwin_invoke_obfuscation_via_use_rundll32_services_security.yml\nwin_invoke_obfuscation_via_use_clip_services_security.yml\nwin_invoke_obfuscation_via_var_services_security.yml\nwin_apt_wocao.yml\nwin_invoke_obfuscation_stdin_services_security.yml\nwin_invoke_obfuscation_via_stdin_services_security.yml\nwin_invoke_obfuscation_stdin_services.yml\nwin_invoke_obfuscation_via_var_services.yml\nwin_invoke_obfuscation_via_use_clip_services.yml\nwin_invoke_obfuscation_obfuscated_iex_services.yml\nwin_invoke_obfuscation_via_use_mshta_services.yml\nwin_invoke_obfuscation_via_stdin_services.yml\nwin_invoke_obfuscation_clip_services.yml\nwin_invoke_obfuscation_via_compress_services.yml\nwin_service_install_susp_double_ampersand.yml\nwin_invoke_obfuscation_var_services.yml\nwin_invoke_obfuscation_via_rundll_services.yml\nwin_invoke_obfuscation_via_use_rundll32_services.yml"
},
{
"techniqueID": "T1069.001",
"score": 14,
"comment": "proc_creation_macos_local_groups.yml\nproc_creation_lnx_local_groups.yml\nfile_event_bloodhound_collection.yml\nposh_ps_susp_smb_share_reco.yml\nposh_ps_susp_local_group_reco.yml\nposh_ps_azurehound_commands.yml\nposh_ps_susp_ad_group_reco.yml\nposh_pm_susp_ad_group_reco.yml\nposh_pm_susp_smb_share_reco.yml\nposh_pm_susp_local_group_reco.yml\nproc_creation_win_wmic_group_recon.yml\nproc_creation_win_accesschk_usage_after_priv_escalation.yml\nproc_creation_win_hack_bloodhound.yml\nproc_creation_win_susp_net_execution.yml"
},
{
"techniqueID": "T1030",
"score": 2,
"comment": "proc_creation_macos_split_file_into_pieces.yml\nlnx_auditd_split_file_into_pieces.yml"
},
{
"techniqueID": "T1529",
"score": 5,
"comment": "proc_creation_macos_system_shutdown_reboot.yml\ncisco_cli_dos.yml\napt_silence_eda.yml\nlnx_auditd_system_shutdown_reboot.yml\nproc_creation_win_susp_shutdown.yml"
},
{
"techniqueID": "T1027.001",
"score": 3,
"comment": "proc_creation_macos_binary_padding.yml\nlnx_auditd_binary_padding.yml\nwin_susp_codeintegrity_check_failure.yml"
},
{
"techniqueID": "T1518.001",
"score": 4,
"comment": "proc_creation_macos_security_software_discovery.yml\nproc_creation_lnx_security_software_discovery.yml\nposh_ps_security_software_discovery.yml\nproc_creation_win_susp_findstr_385201.yml"
},
{
"techniqueID": "T1040",
"score": 8,
"comment": "proc_creation_macos_network_sniffing.yml\ncisco_cli_net_sniff.yml\nlnx_auditd_network_sniffing.yml\nproc_creation_win_lolbin_pktmon.yml\nproc_creation_win_netsh_wifi_credential_harvesting.yml\nproc_creation_win_network_sniffing.yml\nproc_creation_win_netsh_packet_capture.yml\nwin_pcap_drivers.yml"
},
{
"techniqueID": "T1036.006",
"score": 1,
"comment": "proc_creation_macos_space_after_filename.yml"
},
{
"techniqueID": "T1018",
"score": 13,
"comment": "proc_creation_macos_remote_system_discovery.yml\ncisco_cli_discovery.yml\nproc_creation_lnx_remote_system_discovery.yml\nposh_ps_directorysearcher.yml\nposh_ps_susp_get_adcomputer.yml\nproc_creation_win_network_scan_loop.yml\nproc_creation_win_net_enum.yml\nproc_creation_win_susp_adfind_usage.yml\nproc_creation_win_webshell_detection.yml\nproc_creation_win_susp_adidnsdump.yml\nproc_creation_win_susp_net_execution.yml\nproc_creation_win_webshell_hacking.yml\nwin_lolbas_execution_of_nltest.yml"
},
{
"techniqueID": "T1136.001",
"score": 12,
"comment": "proc_creation_macos_create_account.yml\ncisco_cli_local_accounts.yml\nlnx_auditd_create_account.yml\nposh_ps_create_local_user.yml\nregistry_event_add_local_hidden_user.yml\nproc_creation_win_net_user_add.yml\nproc_creation_win_susp_add_user_remote_desktop.yml\nproc_creation_win_susp_servu_exploitation_cve_2021_35211.yml\nproc_creation_win_net_user_add_never_expire.yml\nwin_user_creation.yml\nwin_susp_local_anon_logon_created.yml\nwin_hidden_user_creation.yml"
},
{
"techniqueID": "T1552.003",
"score": 3,
"comment": "proc_creation_macos_susp_histfile_operations.yml\ncisco_cli_input_capture.yml\nlnx_auditd_susp_histfile_operations.yml"
},
{
"techniqueID": "T1046",
"score": 10,
"comment": "proc_creation_macos_network_service_scanning.yml\nnet_firewall_susp_network_scan_by_ip.yml\nnet_firewall_susp_network_scan_by_port.yml\nlnx_auditd_network_service_scanning.yml\nproc_creation_lnx_network_service_scanning.yml\nfile_event_win_advanced_ip_scanner.yml\nproc_creation_win_susp_nmap.yml\nproc_creation_win_advanced_port_scanner.yml\nproc_creation_win_advanced_ip_scanner.yml\nnet_connection_win_python.yml"
},
{
"techniqueID": "T1056.002",
"score": 3,
"comment": "proc_creation_macos_gui_input_capture.yml\nimage_load_uipromptforcreds_dlls.yml\nproc_creation_win_mouse_lock.yml"
},
{
"techniqueID": "T1562.001",
"score": 62,
"comment": "proc_creation_macos_disable_security_tools.yml\ncisco_cli_disable_logging.yml\nazure_kubernetes_events_deleted.yml\naws_cloudtrail_disable_logging.yml\naws_guardduty_disruption.yml\naws_macic_evasion.yml\naws_config_disable_recording.yml\nfile_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml\nposh_pc_tamper_with_windows_defender.yml\nposh_ps_tamper_defender_remove_mppreference.yml\nposh_ps_tamper_defender.yml\nproc_access_win_cobaltstrike_bof_injection_pattern.yml\nregistry_set_enabling_turnoffcheck.yml\nregistry_set_disable_windows_defender_service.yml\nregistry_set_susp_service_installed.yml\nregistry_set_disabled_microsoft_defender_eventlog.yml\nregistry_set_windows_defender_tamper.yml\nregistry_set_change_sysmon_driver_altitude.yml\nregistry_set_exploit_guard_susp_allowed_apps.yml\nregistry_set_disabled_pua_protection_on_microsoft_defender.yml\nregistry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml\nregistry_set_disabled_tamper_protection_on_microsoft_defender.yml\nregistry_set_defender_exclusions.yml\nregistry_set_disable_microsoft_office_security_features.yml\nregistry_delete_exploit_guard_protected_folders.yml\nregistry_delete_removal_amsi_registry_key.yml\nregistry_event_disable_security_events_logging_adding_reg_key_minint.yml\nregistry_event_net_ntlm_downgrade.yml\nproc_creation_win_uninstall_sysmon.yml\nproc_creation_win_reg_defender_tampering.yml\nproc_creation_win_dsim_remove.yml\nproc_creation_win_susp_disable_ie_features.yml\nproc_creation_win_powershell_disable_windef_av.yml\nproc_creation_win_powershell_defender_disable_feature.yml\nproc_creation_win_susp_service_modification.yml\nproc_creation_win_reg_defender_exclusion.yml\nproc_creation_win_susp_wmic_security_product_uninstall.yml\nproc_creation_win_remove_windows_defender_definition_files.yml\nproc_creation_win_cleanwipe.yml\nproc_creation_win_uninstall_crowdstrike_falcon.yml\nproc_creation_win_reg_delete_services.yml\nproc_creation_win_powershell_defender_base64.yml\nproc_creation_win_tamper_defender_remove_mppreference.yml\nproc_creation_win_susp_disable_eventlog.yml\nproc_creation_win_susp_reg_disable_sec_services.yml\nproc_creation_win_disable_service.yml\nproc_creation_win_powershell_amsi_bypass.yml\nproc_creation_win_susp_volsnap_disable.yml\nproc_creation_win_apt_ke3chang_regadd.yml\nproc_creation_win_sc_delete_av_services.yml\nproc_creation_win_susp_disable_raccine.yml\nproc_creation_win_reg_delete_safeboot.yml\nproc_creation_win_powershell_defender_exclusion.yml\nwin_user_driver_loaded.yml\nwin_defender_bypass.yml\nwin_net_ntlm_downgrade.yml\nwin_alert_enable_weak_encryption.yml\nwin_system_defender_disabled.yml\nwin_defender_tamper_protection_trigger.yml\nwin_defender_disabled.yml\nwin_defender_exclusions.yml\nwin_susp_msmpeng_crash.yml"
},
{
"techniqueID": "T1555.001",
"score": 1,
"comment": "proc_creation_macos_creds_from_keychain.yml"
},
{
"techniqueID": "T1113",
"score": 6,
"comment": "proc_creation_macos_screencapture.yml\nlnx_auditd_screencapture_import.yml\nlnx_auditd_screencaputre_xwd.yml\nposh_ps_capture_screenshots.yml\nimage_load_susp_system_drawing_load.yml\nproc_creation_win_susp_psr_capture_screenshots.yml"
},
{
"techniqueID": "T1083",
"score": 9,
"comment": "proc_creation_macos_file_and_directory_discovery.yml\nweb_source_code_enumeration.yml\ncisco_cli_discovery.yml\nproc_creation_lnx_file_and_directory_discovery.yml\nposh_ps_susp_directory_enum.yml\nposh_ps_file_and_directory_discovery.yml\nproc_creation_win_apt_turla_commands_medium.yml\nproc_creation_win_apt_turla_commands_critical.yml\nproc_creation_win_malware_wannacry.yml"
},
{
"techniqueID": "T1053.003",
"score": 6,
"comment": "proc_creation_macos_schedule_task_job_cron.yml\nfile_create_lnx_persistence_sudoers_files.yml\nfile_create_lnx_persistence_cron_files.yml\nfile_create_lnx_triple_cross_rootkit_persistence.yml\nproc_creation_lnx_schedule_task_job_cron.yml\nlnx_crontab_file_modification.yml"
},
{
"techniqueID": "T1071.001",
"score": 28,
"comment": "proxy_pwndrop.yml\nproxy_telegram_api.yml\nproxy_ua_susp.yml\nproxy_ua_bitsadmin_susp_ip.yml\nproxy_cobalt_onedrive.yml\nproxy_ua_cryptominer.yml\nproxy_raw_paste_service_access.yml\nproxy_powershell_ua.yml\nproxy_chafer_malware.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_amazon.yml\nproxy_downloadcradle_webdav.yml\nproxy_cobalt_malformed_uas.yml\nproxy_ua_malware.yml\nproxy_empire_ua_uri_combos.yml\nproxy_ua_frameworks.yml\nproxy_ua_susp_base64.yml\nproxy_turla_comrat.yml\nproxy_empty_ua.yml\nproxy_ua_bitsadmin_susp_tld.yml\nproxy_ua_apt.yml\nproxy_ursnif_malware_c2_url.yml\nproxy_baby_shark.yml\nproxy_apt40.yml\nnet_dns_wannacry_killswitch_domain.yml\nposh_ps_susp_invoke_webrequest_useragent.yml\nproc_creation_win_exfiltration_and_tunneling_tools_execution.yml\nproc_creation_win_susp_curl_useragent.yml"
},
{
"techniqueID": "T1102.001",
"score": 3,
"comment": "proxy_pwndrop.yml\nproxy_raw_paste_service_access.yml\nnet_connection_win_dead_drop_resolvers.yml"
},
{
"techniqueID": "T1102.003",
"score": 2,
"comment": "proxy_pwndrop.yml\nproxy_raw_paste_service_access.yml"
},
{
"techniqueID": "T1102.002",
"score": 2,
"comment": "proxy_telegram_api.yml\nnet_dns_susp_telegram_api.yml"
},
{
"techniqueID": "T1197",
"score": 17,
"comment": "proxy_ua_bitsadmin_susp_ip.yml\nproxy_ua_bitsadmin_susp_tld.yml\nproc_creation_win_bitsadmin_download_susp_ext.yml\nproc_creation_win_bitsadmin_download_susp_targetfolder.yml\nproc_creation_win_susp_bitstransfer.yml\nproc_creation_win_bitsadmin_download_susp_domain.yml\nproc_creation_win_bitsadmin_download_uncommon_targetfolder.yml\nproc_creation_win_bitsadmin_download.yml\nproc_creation_win_bitsadmin_download_susp_ip.yml\nproc_creation_win_monitoring_for_persistence_via_bits.yml\nproc_creation_win_powershell_bitsjob.yml\nwin_bits_client_susp_powershell_job.yml\nwin_bits_client_uncommon_domain.yml\nwin_bits_client_susp_local_folder.yml\nwin_bits_client_susp_use_bitsadmin.yml\nwin_bits_client_susp_domain.yml\nwin_bits_client_susp_local_file.yml"
},
{
"techniqueID": "T1203",
"score": 21,
"comment": "proxy_ios_implant.yml\nproxy_download_susp_tlds_whitelist.yml\nproxy_download_susp_tlds_blacklist.yml\nzeek_http_omigod_no_auth_rce.yml\nlnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml\nproc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml\nproc_creation_lnx_omigod_scx_runasprovider_executescript.yml\nav_exploiting.yml\nfile_event_win_cve_2021_31979_cve_2021_33771_exploits.yml\nfile_event_win_cve_2021_26858_msexchange.yml\nregistry_event_cve_2021_31979_cve_2021_33771_exploits.yml\nproc_creation_win_exploit_cve_2017_11882.yml\nproc_creation_win_exploit_cve_2017_8759.yml\nproc_creation_win_exploit_cve_2017_0261.yml\nproc_creation_win_vul_java_remote_debugging.yml\nproc_creation_win_hwp_exploits.yml\nproc_creation_win_cve_2021_26857_msexchange.yml\nproc_creation_win_susp_spoolsv_child_processes.yml\nwin_audit_cve.yml\nnet_connection_win_excel_outbound_network_connection.yml\nnet_connection_win_eqnedt.yml"
},
{
"techniqueID": "T1005",
"score": 7,
"comment": "proxy_ios_implant.yml\ncisco_cli_collect_data.yml\naws_ec2_vm_export_failure.yml\npipe_created_susp_adfs_namedpipe_connection.yml\nproc_creation_win_esentutl_webcache.yml\nproc_creation_win_conti_sqlcmd.yml\nproc_creation_win_sqlcmd_veeam_dump.yml"
},
{
"techniqueID": "T1119",
"score": 5,
"comment": "proxy_ios_implant.yml\nposh_ps_automated_collection.yml\nposh_ps_susp_recon_export.yml\nproc_creation_win_automated_collection.yml\nproc_creation_win_susp_recon.yml"
},
{
"techniqueID": "T1528",
"score": 6,
"comment": "proxy_ios_implant.yml\nazure_app_appid_uri_changes.yml\nazure_app_uri_modifications.yml\nazure_app_owner_added.yml\npipe_created_koh_default_pipe.yml\nproc_creation_win_renamed_browsercore.yml"
},
{
"techniqueID": "T1189",
"score": 2,
"comment": "proxy_susp_flash_download_loc.yml\ndns_query_win_possible_dns_rebinding.yml"
},
{
"techniqueID": "T1204.002",
"score": 27,
"comment": "proxy_susp_flash_download_loc.yml\nproxy_download_susp_tlds_whitelist.yml\nproxy_download_susp_tlds_blacklist.yml\nproxy_ursnif_malware_c2_url.yml\nfile_event_win_script_creation_by_office_using_file_ext.yml\nproc_access_win_littlecorporal_generated_maldoc.yml\nimage_load_susp_office_kerberos_dll_load.yml\nimage_load_susp_office_dotnet_gac_dll_load.yml\nimage_load_susp_winword_vbadll_load.yml\nimage_load_susp_office_dotnet_assembly_dll_load.yml\nimage_load_susp_office_dsparse_dll_load.yml\nimage_load_susp_office_dotnet_clr_dll_load.yml\nregistry_set_new_application_appcompat.yml\nproc_creation_win_lolbins_by_office_applications.yml\nproc_creation_win_exploit_cve_2017_11882.yml\nproc_creation_win_exploit_cve_2017_8759.yml\nproc_creation_win_exploit_cve_2017_0261.yml\nproc_creation_win_crime_maze_ransomware.yml\nproc_creation_win_office_shell.yml\nproc_creation_win_office_applications_spawning_wmi_commandline.yml\nproc_creation_win_lolbins_with_wmiprvse_parent_process.yml\nproc_creation_win_office_spawn_exe_from_users_directory.yml\nproc_creation_win_office_from_proxy_executing_regsvr32_payload.yml\nproc_creation_win_office_spawning_wmi_commandline.yml\nproc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml\nproc_creation_win_outlook_shell.yml\nwin_applocker_file_was_not_allowed_to_run.yml"
},
{
"techniqueID": "T1036.005",
"score": 9,
"comment": "proxy_susp_flash_download_loc.yml\nfile_event_win_susp_default_gpo_dir_write.yml\nfile_event_win_creation_system_file.yml\nproc_creation_win_susp_msiexec_cwd.yml\nproc_creation_win_apt_greenbug_may20.yml\nproc_creation_win_proc_wrong_parent.yml\nproc_creation_win_susp_svchost.yml\nproc_creation_win_exploit_cve_2015_1641.yml\nproc_creation_win_apt_lazarus_session_highjack.yml"
},
{
"techniqueID": "T1566",
"score": 5,
"comment": "proxy_download_susp_tlds_whitelist.yml\nproxy_download_susp_tlds_blacklist.yml\nfile_event_win_cve_2021_31979_cve_2021_33771_exploits.yml\nregistry_event_cve_2021_31979_cve_2021_33771_exploits.yml\nproc_creation_win_archiver_iso_phishing.yml"
},
{
"techniqueID": "T1190",
"score": 69,
"comment": "proxy_ua_hacktool.yml\nweb_sonicwall_jarrewrite_exploit.yml\nweb_cve_2020_8193_8195_citrix_exploit.yml\nweb_cve_2021_2109_weblogic_rce_exploit.yml\nweb_cve_2020_3452_cisco_asa_ftd.yml\nweb_cve_2019_3398_confluence.yml\nweb_cve_2021_44228_log4j.yml\nweb_cve_2021_42237_sitecore_report_ashx.yml\nweb_cve_2020_10148_solarwinds_exploit.yml\nweb_cve_2021_44228_log4j_fields.yml\nweb_cve_2021_43798_grafana.yml\nweb_path_traversal_exploitation_attempt.yml\nweb_cve_2020_0688_exchange_exploit.yml\nweb_cve_2021_26814_wzuh_rce.yml\nweb_cve_2021_22893_pulse_secure_rce_exploit.yml\nweb_cve_2022_31659_vmware_rce.yml\nweb_cve_2022_33891_spark_shell_command_injection.yml\nweb_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml\nweb_cve_2020_28188_terramaster_rce_exploit.yml\nweb_cve_2021_28480_exchange_exploit.yml\nweb_cve_2010_5278_exploitation_attempt.yml\nweb_susp_useragents.yml\nweb_cve_2020_14882_weblogic_exploit.yml\nweb_cve_2018_2894_weblogic_exploit.yml\nweb_cve_2022_27925_exploit.yml\nweb_cve_2021_40539_manageengine_adselfservice_exploit.yml\nweb_cve_2020_5902_f5_bigip.yml\nweb_cve_2021_21972_vsphere_unauth_rce_exploit.yml\nweb_cve_2021_22123_fortinet_exploit.yml\nweb_cve_2019_11510_pulsesecure_exploit.yml\nweb_iis_tilt_shortname_scan.yml\nweb_cve_2021_41773_apache_path_traversal.yml\nweb_cve_2018_13379_fortinet_preauth_read_exploit.yml\nweb_cve_2014_6287_hfs_rce.yml\nweb_multiple_susp_resp_codes_single_source.yml\nweb_cve_2022_31656_auth_bypass.yml\nweb_exchange_exploitation_hafnium.yml\nweb_cve_2021_22005_vmware_file_upload.yml\nweb_cve_2020_0688_msexchange.yml\nweb_cve_2019_19781_citrix_exploit.yml\nweb_cve_2021_21978_vmware_view_planner_exploit.yml\nweb_cve_2021_33766_msexchange_proxytoken.yml\nzeek_http_omigod_no_auth_rce.yml\nnet_dns_external_service_interaction_domains.yml\nlnx_susp_named.yml\nlnx_susp_ssh.yml\nlnx_susp_vsftp.yml\nlnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml\nproc_creation_lnx_cve_2022_26134_atlassian_confluence.yml\nproc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml\nproc_creation_lnx_omigod_scx_runasprovider_executescript.yml\nproc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml\napp_python_sql_exceptions.yml\nappframework_django_exceptions.yml\nappframework_ruby_on_rails_exceptions.yml\nappframework_spring_exceptions.yml\napp_sqlinjection_errors.yml\nfile_event_win_susp_exchange_aspx_write.yml\nproc_creation_win_susp_shell_spawn_from_winrm.yml\nproc_creation_win_termserv_proc_spawn.yml\nproc_creation_win_exploit_cve_2020_10189.yml\nproc_creation_win_susp_shell_spawn_from_mssql.yml\nproc_creation_win_rpcss_anomalies.yml\nproc_creation_win_webshell_spawn.yml\nproc_creation_win_exploit_cve_2020_1350.yml\nproc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml\nwin_susp_failed_logon_source.yml\nwin_vul_cve_2021_41379.yml\nwin_vul_cve_2020_0688.yml"
},
{
"techniqueID": "T1110",
"score": 10,
"comment": "proxy_ua_hacktool.yml\nlnx_susp_failed_logons_single_source.yml\nazure_aad_secops_signin_failure_bad_password_threshold.yml\nazure_conditional_access_failure.yml\nazure_user_login_blocked_by_conditional_access.yml\nazure_account_lockout.yml\nazure_blocked_account_attempt.yml\nproc_creation_win_hack_hydra.yml\nproc_creation_win_apt_dragonfly.yml\nwin_susp_ntlm_brute_force.yml"
},
{
"techniqueID": "T1105",
"score": 38,
"comment": "proxy_download_susp_dyndns.yml\ncisco_cli_moving_data.yml\nzeek_http_executable_download_from_webdav.yml\nlnx_file_copy.yml\nfile_event_win_susp_desktopimgdownldr_file.yml\nregistry_set_lolbin_onedrivestandaloneupdater.yml\nregistry_event_apt_pandemic.yml\nproc_creation_win_susp_gup_download.yml\nproc_creation_win_headless_browser_file_download.yml\nproc_creation_win_susp_msiexec_web_install.yml\nproc_creation_win_susp_certutil_command.yml\nproc_creation_win_susp_finger_usage.yml\nproc_creation_win_lolbin_printbrm.yml\nproc_creation_win_susp_cmd_http_appdata.yml\nproc_creation_win_apt_greenbug_may20.yml\nproc_creation_win_susp_curl_fileupload.yml\nproc_creation_win_lolbin_susp_mpcmdrun_download.yml\nproc_creation_win_susp_desktopimgdownldr.yml\nproc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml\nproc_creation_win_msedge_minimized_download.yml\nproc_creation_win_lolbin_replace.yml\nproc_creation_win_lolbin_extrac32.yml\nproc_creation_win_lolbin_susp_certreq_download.yml\nproc_creation_win_curl_download.yml\nproc_creation_win_susp_invoke_webrequest_download.yml\nproc_creation_win_susp_msoffice.yml\nproc_creation_win_susp_curl_download.yml\nproc_creation_win_susp_curl_start_combo.yml\nproc_creation_win_lolbin_diantz_remote_cab.yml\nproc_creation_win_susp_ps_downloadfile.yml\nproc_creation_win_susp_wuauclt.yml\nproc_creation_win_lolbin_certoc_download.yml\nproc_creation_win_lolbin_findstr.yml\ndns_query_win_lobas_appinstaller.yml\nnet_connection_win_imewdbld.yml\nnet_connection_win_binary_github_com.yml\nnet_connection_win_binary_susp_com.yml\nnet_connection_win_susp_prog_location_network_connection.yml"
},
{
"techniqueID": "T1568",
"score": 1,
"comment": "proxy_download_susp_dyndns.yml"
},
{
"techniqueID": "T1566.001",
"score": 12,
"comment": "proxy_ursnif_malware_c2_url.yml\nfile_event_win_iso_file_mount.yml\nfile_event_win_macro_file.yml\nregistry_event_trust_record_modification.yml\nproc_creation_win_exploit_cve_2017_11882.yml\nproc_creation_win_exploit_cve_2017_8759.yml\nproc_creation_win_exploit_cve_2017_0261.yml\nproc_creation_win_arbitrary_shell_execution_via_settingcontent.yml\nproc_creation_win_hwp_exploits.yml\nproc_creation_win_susp_double_extension.yml\nproc_creation_win_susp_outlook_temp.yml\nwin_iso_mount.yml"
},
{
"techniqueID": "T1590",
"score": 2,
"comment": "proxy_adv_ip_port_scanner_upd_check.yml\ndns_query_win_susp_ipify.yml"
},
{
"techniqueID": "T1567.002",
"score": 6,
"comment": "proxy_apt40.yml\nfile_event_win_rclone_exec_file.yml\nproc_creation_win_susp_rclone_execution.yml\ndns_query_win_ufile_io.yml\ndns_query_win_anonymfiles_com.yml\ndns_query_win_mega_nz.yml"
},
{
"techniqueID": "T1505.003",
"score": 25,
"comment": "web_solarwinds_supernova_webshell.yml\nweb_susp_windows_path_uri.yml\nweb_cve_2018_2894_weblogic_exploit.yml\nweb_webshell_regeorg.yml\nweb_cve_2021_40539_manageengine_adselfservice_exploit.yml\nweb_unc2546_dewmode_php_webshell.yml\nweb_cve_2014_6287_hfs_rce.yml\nweb_win_webshells_in_access_logs.yml\nlnx_auditd_web_rce.yml\nproc_creation_lnx_webshell_detection.yml\nlnx_shellshock.yml\nav_webshell.yml\nfile_event_win_susp_exchange_aspx_write.yml\nfile_event_win_webshell_creation_detect.yml\nproc_creation_win_mailboxexport_share.yml\nproc_creation_win_susp_shell_spawn_from_mssql.yml\nproc_creation_win_webshell_recon_detection.yml\nproc_creation_win_webshell_spawn.yml\nproc_creation_win_webshell_detection.yml\nproc_creation_win_susp_iss_module_install.yml\nproc_creation_win_susp_execution_path_webserver.yml\nproc_creation_win_webshell_hacking.yml\nwin_set_oabvirtualdirectory_externalurl.yml\nwin_exchange_proxyshell_certificate_generation.yml\nwin_exchange_proxyshell_mailbox_export.yml"
},
{
"techniqueID": "T1499.004",
"score": 3,
"comment": "web_nginx_core_dump.yml\nweb_apache_segfault.yml\nwin_audit_cve.yml"
},
{
"techniqueID": "T1495",
"score": 1,
"comment": "cisco_cli_dos.yml"
},
{
"techniqueID": "T1565.001",
"score": 3,
"comment": "cisco_cli_dos.yml\nproc_creation_lnx_susp_history_delete.yml\nlnx_clear_syslog.yml"
},
{
"techniqueID": "T1490",
"score": 15,
"comment": "cisco_cli_modify_config.yml\nposh_pc_delete_volume_shadow_copies.yml\nposh_ps_susp_win32_shadowcopy.yml\nimage_load_susp_vss_ps_load.yml\nregistry_set_disable_system_restore.yml\nregistry_set_install_root_or_ca_certificat.yml\nproc_creation_win_delete_systemstatebackup.yml\nproc_creation_win_susp_cmd_shadowcopy_access.yml\nproc_creation_win_malware_dtrack.yml\nproc_creation_win_crime_maze_ransomware.yml\nproc_creation_win_shadow_copies_deletion.yml\nproc_creation_win_malware_conti_shadowcopy.yml\nproc_creation_win_malware_wannacry.yml\nproc_creation_win_bootconf_mod.yml\nfile_delete_win_delete_backup_file.yml"
},
{
"techniqueID": "T1505",
"score": 1,
"comment": "cisco_cli_modify_config.yml"
},
{
"techniqueID": "T1565.002",
"score": 1,
"comment": "cisco_cli_modify_config.yml"
},
{
"techniqueID": "T1053",
"score": 12,
"comment": "cisco_cli_modify_config.yml\nrpc_firewall_atsvc_lateral_movement.yml\nrpc_firewall_itaskschedulerservice_lateral_movement.yml\nrpc_firewall_sasec_lateral_movement.yml\nfile_event_win_susp_task_write.yml\nregistry_set_abusing_windows_telemetry_for_persistence.yml\nregistry_set_taskcache_entry.yml\nproc_creation_win_susp_crackmapexec_execution.yml\nproc_creation_win_apt_hafnium.yml\nproc_creation_win_abusing_windows_telemetry_for_persistence.yml\nproc_creation_win_apt_actinium_persistence.yml\nwin_apt_slingshot.yml"
},
{
"techniqueID": "T1070.003",
"score": 6,
"comment": "cisco_cli_clear_logs.yml\nlnx_shell_clear_cmd_history.yml\nposh_ps_susp_iofilestream.yml\nposh_ps_clear_powershell_history.yml\nposh_ps_clearing_windows_console_history.yml\nposh_pm_clear_powershell_history.yml"
},
{
"techniqueID": "T1201",
"score": 4,
"comment": "cisco_cli_discovery.yml\nlnx_auditd_password_policy_discovery.yml\nposh_ps_susp_get_addefaultdomainpasswordpolicy.yml\nproc_creation_win_susp_net_execution.yml"
},
{
"techniqueID": "T1057",
"score": 6,
"comment": "cisco_cli_discovery.yml\napt_silence_downloader_v3.yml\nproc_creation_lnx_process_discovery.yml\nposh_ps_as_rep_roasting.yml\nposh_ps_susp_get_process.yml\nproc_creation_win_susp_tasklist_command.yml"
},
{
"techniqueID": "T1082",
"score": 12,
"comment": "cisco_cli_discovery.yml\nzeek_dce_rpc_domain_user_enumeration.yml\napt_silence_downloader_v3.yml\nlnx_auditd_system_info_discovery.yml\nlnx_auditd_system_info_discovery2.yml\nproc_creation_lnx_system_info_discovery.yml\nproc_creation_win_susp_systeminfo.yml\nproc_creation_win_susp_hostname.yml\nproc_creation_win_susp_commands_recon_activity.yml\nproc_creation_win_cmd_redirect.yml\nproc_creation_win_susp_machineguid.yml\nproc_creation_win_susp_recon_net_activity.yml"
},
{
"techniqueID": "T1033",
"score": 18,
"comment": "cisco_cli_discovery.yml\napt_silence_downloader_v3.yml\nlnx_auditd_user_discovery.yml\nrpc_firewall_dcsync_attack.yml\nrpc_firewall_sharphound_recon_sessions.yml\nposh_ps_susp_get_current_user.yml\nproc_creation_win_susp_whoami_as_param.yml\nproc_creation_win_susp_sharpview.yml\nproc_creation_win_malware_dridex.yml\nproc_creation_win_whoami_as_priv_user.yml\nproc_creation_win_whoami_priv.yml\nproc_creation_win_local_system_owner_account_discovery.yml\nproc_creation_win_webshell_detection.yml\nproc_creation_win_susp_whoami_anomaly.yml\nproc_creation_win_whoami_as_system.yml\nproc_creation_win_renamed_whoami.yml\nproc_creation_win_susp_whoami.yml\nproc_creation_win_webshell_hacking.yml"
},
{
"techniqueID": "T1124",
"score": 2,
"comment": "cisco_cli_discovery.yml\nproc_creation_win_remote_time_discovery.yml"
},
{
"techniqueID": "T1553.004",
"score": 4,
"comment": "cisco_cli_crypto_actions.yml\nproc_creation_lnx_install_root_certificate.yml\nposh_ps_root_certificate_installed.yml\nproc_creation_win_root_certificate_installed.yml"
},
{
"techniqueID": "T1552.004",
"score": 5,
"comment": "cisco_cli_crypto_actions.yml\nfile_event_win_susp_pfx_file_creation.yml\nposh_ps_susp_export_pfxcertificate.yml\nproc_creation_win_discover_private_keys.yml\nproc_creation_win_susp_powershell_getprocess_lsass.yml"
},
{
"techniqueID": "T1070.004",
"score": 11,
"comment": "cisco_cli_file_deletion.yml\nproc_creation_lnx_file_deletion.yml\nposh_ps_remove_item_path.yml\nregistry_add_sysinternals_sdelete_registry_keys.yml\nproc_creation_win_susp_del.yml\nproc_creation_win_cmd_delete.yml\nfile_delete_win_sysinternals_sdelete_file_deletion.yml\nfile_delete_win_delete_prefetch.yml\nfile_delete_win_delete_appli_log.yml\nwin_susp_sdelete.yml\nwin_susp_backup_delete.yml"
},
{
"techniqueID": "T1561.001",
"score": 1,
"comment": "cisco_cli_file_deletion.yml"
},
{
"techniqueID": "T1561.002",
"score": 1,
"comment": "cisco_cli_file_deletion.yml"
},
{
"techniqueID": "T1074",
"score": 2,
"comment": "cisco_cli_moving_data.yml\ngcp_full_network_traffic_packet_capture.yml"
},
{
"techniqueID": "T1560.001",
"score": 10,
"comment": "cisco_cli_moving_data.yml\nlnx_auditd_data_compressed.yml\nproc_creation_win_susp_winzip.yml\nproc_creation_win_data_compressed_with_rar.yml\nproc_creation_win_susp_winrar_execution.yml\nproc_creation_win_susp_rar_flags.yml\nproc_creation_win_susp_compression_params.yml\nproc_creation_win_susp_7z.yml\nproc_creation_win_apt_judgement_panda_gtr19.yml\nproc_creation_win_susp_winrar_dmp.yml"
},
{
"techniqueID": "T1098",
"score": 22,
"comment": "cisco_cli_local_accounts.yml\nazure_creating_number_of_resources_detection.yml\nazure_priviledged_role_assignment_bulk_change.yml\nazure_priviledged_role_assignment_add.yml\nazure_app_credential_added.yml\nazure_group_user_removal_ca_modification.yml\nazure_granting_permission_detection.yml\nazure_group_user_addition_ca_modification.yml\ngworkspace_user_granted_admin_privileges.yml\ngworkspace_granted_domain_api_access.yml\naws_update_login_profile.yml\naws_route_53_domain_transferred_to_another_account.yml\naws_iam_backdoor_users_keys.yml\naws_route_53_domain_transferred_lock_disabled.yml\nposh_ps_localuser.yml\nproc_creation_win_susp_add_local_admin.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_add_domain_trust.yml\nwin_account_backdoor_dcsync_rights.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_dsrm_password_change.yml\nwin_user_added_to_local_administrators.yml"
},
{
"techniqueID": "T1048.003",
"score": 14,
"comment": "net_firewall_high_dns_bytes_out.yml\nnet_firewall_high_dns_requests_rate.yml\nzeek_http_webdav_put_request.yml\nnet_dns_c2_detection.yml\nnet_dns_susp_b64_queries.yml\nnet_dns_high_null_records_requests_rate.yml\nnet_dns_high_requests_rate.yml\nnet_dns_high_txt_records_requests_rate.yml\nnet_dns_high_bytes_out.yml\nlnx_auditd_data_exfil_wget.yml\nposh_ps_send_mailmessage.yml\nposh_ps_icmp_exfiltration.yml\nproc_creation_win_susp_webdav_client_execution.yml\nnet_connection_win_susp_outbound_smtp_connections.yml"
},
{
"techniqueID": "T1071.004",
"score": 17,
"comment": "net_firewall_high_dns_requests_rate.yml\nnet_dns_mal_cobaltstrike.yml\nnet_dns_c2_detection.yml\nnet_dns_susp_txt_exec_strings.yml\nnet_dns_susp_b64_queries.yml\nnet_dns_high_null_records_requests_rate.yml\nnet_dns_high_requests_rate.yml\nnet_dns_high_txt_records_requests_rate.yml\napt_silence_eda.yml\nregistry_event_apt_chafer_mar18.yml\nproc_creation_win_apt_chafer_mar18.yml\nproc_creation_win_dnscat2_powershell_implementation.yml\nproc_creation_win_dns_exfiltration_tools_execution.yml\nproc_creation_win_apt_muddywater_dnstunnel.yml\nwin_apt_chafer_mar18_security.yml\nwin_apt_chafer_mar18_system.yml\ndns_query_win_mal_cobaltstrike.yml"
},
{
"techniqueID": "T1041",
"score": 3,
"comment": "net_firewall_apt_equationgroup_c2.yml\nproc_creation_win_exfiltration_and_tunneling_tools_execution.yml\nproc_creation_win_dnscat2_powershell_implementation.yml"
},
{
"techniqueID": "T1021.002",
"score": 31,
"comment": "zeek_smb_converted_win_lm_namedpipe.yml\nzeek_dce_rpc_smb_spoolss_named_pipe.yml\nzeek_smb_converted_win_susp_psexec.yml\npipe_created_psexec_pipes_artifacts.yml\nfile_event_win_wmiprvse_wbemcomn_dll_hijack.yml\nposh_ps_susp_new_psdrive.yml\nimage_load_wmiprvse_wbemcomn_dll_hijack.yml\nregistry_set_cobaltstrike_service_installs.yml\nproc_creation_win_apt_turla_commands_medium.yml\nproc_creation_win_rundll32_without_parameters.yml\nproc_creation_win_susp_copy_lateral_movement.yml\nproc_creation_win_apt_turla_commands_critical.yml\nproc_creation_win_net_use_admin_share.yml\nproc_creation_win_rundll32_unc_path.yml\nproc_creation_win_susp_net_execution.yml\nsysmon_dcom_iertutil_dll_hijack.yml\nwin_svcctl_remote_service.yml\nwin_wmiprvse_wbemcomn_dll_hijack.yml\nwin_security_metasploit_or_impacket_smb_psexec_service_install.yml\nwin_metasploit_authentication.yml\nwin_protected_storage_service_access.yml\nwin_susp_psexec.yml\nwin_dce_rpc_smb_spoolss_named_pipe.yml\nwin_impacket_psexec.yml\nwin_lm_namedpipe.yml\nwin_admin_share_access.yml\nwin_smb_file_creation_admin_shares.yml\nwin_dcom_iertutil_dll_hijack.yml\nwin_security_cobaltstrike_service_installs.yml\nwin_hack_smbexec.yml\nwin_cobaltstrike_service_installs.yml"
},
{
"techniqueID": "T1021.001",
"score": 12,
"comment": "zeek_rdp_public_listener.yml\nproc_creation_win_susp_add_user_remote_desktop.yml\nproc_creation_win_reg_enable_rdp.yml\nproc_creation_win_mstsc.yml\nproc_creation_win_susp_plink_remote_forward.yml\nproc_creation_win_susp_tscon_rdp_redirect.yml\nwin_not_allowed_rdp_access.yml\nwin_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nnet_connection_win_susp_rdp.yml\nnet_connection_win_rdp_to_http.yml\nnet_connection_win_rdp_reverse_tunnel.yml"
},
{
"techniqueID": "T1095",
"score": 4,
"comment": "zeek_dns_susp_zbit_flag.yml\nposh_pc_powercat.yml\nposh_pm_powercat.yml\nproc_creation_win_netcat_execution.yml"
},
{
"techniqueID": "T1571",
"score": 3,
"comment": "zeek_dns_susp_zbit_flag.yml\nposh_ps_test_netconnection.yml\nnet_connection_win_malware_backconnect_ports.yml"
},
{
"techniqueID": "T1569.002",
"score": 34,
"comment": "zeek_dns_mining_pools.yml\nzeek_dce_rpc_mitre_bzar_execution.yml\nrpc_firewall_remote_service_lateral_movement.yml\npipe_created_psexec_default_pipe.yml\npipe_created_psexec_default_pipe_from_susp_location.yml\nfile_event_win_tool_psexec.yml\nregistry_set_cobaltstrike_service_installs.yml\nregistry_set_powershell_as_service.yml\nproc_creation_win_psexesvc_start.yml\nproc_creation_win_rundll32_without_parameters.yml\nproc_creation_win_service_execution.yml\nproc_creation_win_tool_runx_as_system.yml\nproc_creation_win_rpcss_anomalies.yml\nproc_creation_win_tool_nircmd.yml\nproc_creation_win_tool_nircmd_as_system.yml\nproc_creation_win_exploit_cve_2020_1350.yml\nproc_creation_win_sharpup.yml\nproc_creation_win_tool_nsudo_execution.yml\nproc_creation_win_tool_psexec.yml\ndriver_load_mal_creddumper.yml\ndriver_load_powershell_script_installed_as_service.yml\nwin_security_metasploit_or_impacket_smb_psexec_service_install.yml\nwin_security_powershell_script_installed_as_service.yml\nwin_security_mal_service_installs.yml\nwin_security_mal_creddumper.yml\nwin_security_cobaltstrike_service_installs.yml\nwin_susp_proceshacker.yml\nwin_mal_creddumper.yml\nwin_tool_psexec.yml\nwin_hack_smbexec.yml\nwin_service_hacktools.yml\nwin_powershell_script_installed_as_service.yml\nwin_cobaltstrike_service_installs.yml\nwin_defender_psexec_wmi_asr.yml"
},
{
"techniqueID": "T1496",
"score": 4,
"comment": "zeek_dns_mining_pools.yml\nnet_dns_pua_cryptocoin_mining_xmr.yml\nproc_creation_win_crypto_mining_monero.yml\nnet_connection_win_crypto_mining.yml"
},
{
"techniqueID": "T1557.001",
"score": 6,
"comment": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml\nproc_creation_win_hack_adcspwn.yml\nproc_creation_win_impacket_compiled_tools.yml\nproc_creation_win_tools_relay_attacks.yml\ndriver_load_windivert.yml\nwin_susp_rottenpotato.yml"
},
{
"techniqueID": "T1187",
"score": 3,
"comment": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml\nwin_petitpotam_susp_tgt_request.yml\nwin_petitpotam_network_share.yml"
},
{
"techniqueID": "T1068",
"score": 20,
"comment": "zeek_http_omigod_no_auth_rce.yml\nlnx_auditd_cve_2021_4034.yml\nlnx_auditd_coinminer.yml\nlnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml\nlnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml\nlnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml\nproc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml\nproc_creation_lnx_omigod_scx_runasprovider_executescript.yml\nlnx_nimbuspwn_privilege_escalation_exploit.yml\nlnx_sudo_cve_2019_14287_user.yml\nlnx_buffer_overflows.yml\nlnx_sudo_cve_2019_14287.yml\nfile_event_win_cve_2021_41379_msi_lpe.yml\nproc_creation_win_apt_hurricane_panda.yml\nproc_creation_win_exploit_lpe_cve_2021_41379.yml\nproc_creation_win_exploit_systemnightmare.yml\nproc_creation_win_exploit_cve_2019_1388.yml\nproc_creation_win_susp_spoolsv_child_processes.yml\nproc_creation_win_exploit_cve_2019_1378.yml\nwin_audit_cve.yml"
},
{
"techniqueID": "T1021.006",
"score": 9,
"comment": "zeek_http_omigod_no_auth_rce.yml\nposh_pc_remote_powershell_session.yml\nposh_ps_enable_psremoting.yml\nposh_ps_invoke_command_remote.yml\nposh_pm_remote_powershell_session.yml\nproc_access_win_mimikatz_trough_winrm.yml\nproc_creation_win_evil_winrm.yml\nproc_creation_win_remote_powershell_session_process.yml\nnet_connection_win_remote_powershell_session_network.yml"
},
{
"techniqueID": "T1210",
"score": 8,
"comment": "zeek_http_omigod_no_auth_rce.yml\nproc_creation_win_termserv_proc_spawn.yml\nproc_creation_win_malware_wannacry.yml\nwin_rdp_bluekeep_poc_scanner.yml\nwin_possible_zerologon_exploitation_using_wellknown_tools.yml\nwin_rdp_potential_cve_2019_0708.yml\nwin_exchange_cve_2021_42321.yml\nwin_audit_cve.yml"
},
{
"techniqueID": "T1087.002",
"score": 14,
"comment": "zeek_dce_rpc_domain_user_enumeration.yml\nfile_event_bloodhound_collection.yml\nposh_ps_azurehound_commands.yml\nproc_creation_win_susp_psloglist.yml\nproc_creation_win_susp_adfind_usage.yml\nproc_creation_win_susp_adfind_enumeration.yml\nproc_creation_win_susp_recon_activity.yml\nproc_creation_win_hack_bloodhound.yml\nproc_creation_win_susp_net_execution.yml\nwin_susp_net_recon_activity.yml\nwin_account_discovery.yml\nwin_global_catalog_enumeration.yml\nwin_ad_user_enumeration.yml\nwin_ldap_recon.yml"
},
{
"techniqueID": "T1558.003",
"score": 11,
"comment": "zeek_susp_kerberos_rc4.yml\nposh_ps_request_kerberos_ticket.yml\nproc_creation_win_hack_krbrelay.yml\nproc_creation_win_hack_rubeus.yml\nproc_creation_win_spn_enum.yml\nproc_creation_win_hack_krbrelayup.yml\nwin_susp_rc4_kerberos.yml\nwin_susp_outbound_kerberos_connection.yml\nwin_register_new_logon_process_by_rubeus.yml\nwin_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml\nwin_vul_cve_2021_42278_or_cve_2021_42287.yml"
},
{
"techniqueID": "T1048",
"score": 7,
"comment": "zeek_dns_torproxy.yml\nposh_ps_invoke_dnsexfiltration.yml\nposh_ps_dnscat_execution.yml\nproc_creation_win_susp_copy_lateral_movement.yml\nproc_creation_win_tap_installer_execution.yml\nwin_security_tap_driver_installation.yml\nwin_tap_driver_installation.yml"
},
{
"techniqueID": "T1003.002",
"score": 27,
"comment": "zeek_smb_converted_win_impacket_secretdump.yml\nzeek_smb_converted_win_transferring_files_with_credential_data.yml\nav_password_dumper.yml\npipe_created_cred_dump_tools_named_pipes.yml\nfile_event_win_quarkspw_filedump.yml\nfile_event_win_cred_dump_tools_dropped_files.yml\nfile_event_win_sam_dump.yml\nfile_event_win_susp_ntds_dit.yml\nregistry_event_esentutl_volume_shadow_copy_service_keys.yml\nproc_creation_win_shadow_copies_creation.yml\nproc_creation_win_copying_sensitive_files_with_credential_data.yml\nproc_creation_win_mimikatz_command_line.yml\nproc_creation_win_shadow_copies_access_symlink.yml\nproc_creation_win_pypykatz.yml\nproc_creation_win_reg_dump_sam.yml\nproc_creation_win_susp_powershell_sam_access.yml\nproc_creation_win_grabbing_sensitive_hives_via_reg.yml\ndriver_load_mal_creddumper.yml\nwin_alert_mimikatz_keywords.yml\nwin_vssaudit_secevent_source_registration.yml\nwin_transferring_files_with_credential_data_via_network_shares.yml\nwin_security_mal_creddumper.yml\nwin_impacket_secretdump.yml\nwin_susp_sam_dump.yml\nwin_mal_creddumper.yml\nwin_quarkspwdump_clearing_hive_access_history.yml\nwin_volume_shadow_copy_mount.yml"
},
{
"techniqueID": "T1003.004",
"score": 12,
"comment": "zeek_smb_converted_win_impacket_secretdump.yml\npipe_created_cred_dump_tools_named_pipes.yml\nfile_event_win_cred_dump_tools_dropped_files.yml\nproc_creation_win_mimikatz_command_line.yml\nproc_creation_win_grabbing_sensitive_hives_via_reg.yml\ndriver_load_mal_creddumper.yml\nwin_alert_mimikatz_keywords.yml\nwin_dpapi_domain_masterkey_backup_attempt.yml\nwin_security_mal_creddumper.yml\nwin_dpapi_domain_backupkey_extraction.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml"
},
{
"techniqueID": "T1003.003",
"score": 18,
"comment": "zeek_smb_converted_win_impacket_secretdump.yml\nzeek_smb_converted_win_transferring_files_with_credential_data.yml\nfile_event_win_cred_dump_tools_dropped_files.yml\nfile_event_win_ntds_exfil_tools.yml\nfile_event_win_ntds_dit.yml\nfile_event_win_susp_ntds_dit.yml\nposh_ps_create_volume_shadow_copy.yml\nposh_pm_get_addbaccount.yml\nproc_creation_win_shadow_copies_creation.yml\nproc_creation_win_apt_bear_activity_gtr19.yml\nproc_creation_win_copying_sensitive_files_with_credential_data.yml\nproc_creation_win_susp_esentutl_params.yml\nproc_creation_win_susp_ntdsutil.yml\nproc_creation_win_susp_ditsnap.yml\nproc_creation_win_shadow_copies_access_symlink.yml\nproc_creation_win_susp_ntds.yml\nwin_transferring_files_with_credential_data_via_network_shares.yml\nwin_impacket_secretdump.yml"
},
{
"techniqueID": "T1053.002",
"score": 8,
"comment": "zeek_smb_converted_win_atsvc_task.yml\nzeek_dce_rpc_mitre_bzar_execution.yml\nproc_creation_lnx_at_command.yml\nrpc_firewall_atsvc_lateral_movement.yml\nrpc_firewall_itaskschedulerservice_lateral_movement.yml\nrpc_firewall_sasec_lateral_movement.yml\nproc_creation_win_interactive_at.yml\nwin_atsvc_task.yml"
},
{
"techniqueID": "T1547.004",
"score": 3,
"comment": "zeek_dce_rpc_mitre_bzar_persistence.yml\nposh_ps_winlogon_helper_dll.yml\nregistry_set_winlogon_notify_key.yml"
},
{
"techniqueID": "T1003.001",
"score": 66,
"comment": "zeek_smb_converted_win_transferring_files_with_credential_data.yml\nav_password_dumper.yml\npipe_created_cred_dump_tools_named_pipes.yml\nfile_event_win_cred_dump_tools_dropped_files.yml\nfile_event_win_crackmapexec_patterns.yml\nfile_event_win_lsass_dump.yml\nfile_event_win_lsass_werfault_dump.yml\nfile_event_win_lsass_memory_dump_file_creation.yml\nfile_event_win_hack_dumpert.yml\nfile_event_win_ghostpack_safetykatz.yml\nposh_ps_susp_getprocess_lsass.yml\nproc_access_win_susp_proc_access_lsass_susp_source.yml\nproc_access_win_lsass_dump_comsvcs_dll.yml\nproc_access_win_rare_proc_access_lsass.yml\nproc_access_win_mimikatz_trough_winrm.yml\nproc_access_win_lsass_werfault.yml\nproc_access_win_handlekatz_lsass_access.yml\nproc_access_win_pypykatz_cred_dump_lsass_access.yml\nproc_access_win_lsass_memdump_indicators.yml\nproc_access_win_lsass_memdump_evasion.yml\nprocess_access_win_susp_seclogon.yml\nproc_access_win_lsass_memdump.yml\nproc_access_win_cred_dump_lsass_access.yml\nproc_access_win_lazagne_cred_dump_lsass_access.yml\nproc_access_win_susp_proc_access_lsass.yml\nimage_load_susp_dbghelp_dbgcore_load.yml\nimage_load_tttracer_mod_load.yml\nimage_load_unsigned_image_loaded_into_lsass.yml\nimage_load_rundll32_loading_renamed_comsvcs.yml\nregistry_event_hack_wce_reg.yml\nsysmon_password_dumper_lsass.yml\nproc_creation_win_susp_trolleyexpress_procdump.yml\nproc_creation_win_proc_dump_createdump.yml\nproc_creation_win_susp_procdump_lsass.yml\nproc_creation_win_proc_dump_susp_dumpminitool.yml\nproc_creation_win_procdump_evasion.yml\nproc_creation_win_proc_dump_rdrleakdiag.yml\nproc_creation_win_xordump.yml\nproc_creation_win_lolbin_adplus.yml\nproc_creation_win_proc_dump_dumpminitool.yml\nproc_creation_win_hack_wce.yml\nproc_creation_win_mimikatz_command_line.yml\nproc_creation_win_crackmapexec_patterns.yml\nproc_creation_win_hktl_createminidump.yml\nproc_creation_win_lolbin_tttracer_mod_load.yml\nproc_creation_win_apt_judgement_panda_gtr19.yml\nproc_creation_win_hack_dumpert.yml\nproc_creation_win_susp_lsass_clone.yml\nproc_creation_win_procdump.yml\nproc_creation_win_lolbin_dump64.yml\nproc_creation_win_handlekatz.yml\nproc_creation_win_malware_notpetya.yml\nproc_creation_win_process_dump_rundll32_comsvcs.yml\nproc_creation_win_lsass_dump.yml\nproc_creation_win_lolbin_susp_sqldumper_activity.yml\nproc_creation_win_process_dump_rdrleakdiag.yml\ndriver_load_mal_creddumper.yml\nsysmon_accessing_winapi_in_powershell_credentials_dumping.yml\nwin_alert_mimikatz_keywords.yml\nwin_transferring_files_with_credential_data_via_network_shares.yml\nwin_security_mal_creddumper.yml\nwin_lsass_access_non_system_account.yml\nwin_susp_lsass_dump_generic.yml\nwin_susp_lsass_dump.yml\nwin_mal_creddumper.yml\nwin_defender_alert_lsass_access.yml"
},
{
"techniqueID": "T1047",
"score": 37,
"comment": "zeek_dce_rpc_mitre_bzar_execution.yml\nrpc_firewall_remote_dcom_or_wmi.yml\npipe_created_susp_wmi_consumer_namedpipe.yml\nfile_event_win_wmiprvse_wbemcomn_dll_hijack.yml\nsysmon_wmi_susp_encoded_scripts.yml\nposh_ps_wmimplant.yml\nimage_load_wmiprvse_wbemcomn_dll_hijack.yml\nimage_load_wmi_module_load.yml\nregistry_set_mal_blue_mockingbird.yml\nproc_creation_win_lolbins_by_office_applications.yml\nproc_creation_win_wmi_spwns_powershell.yml\nproc_creation_win_crime_maze_ransomware.yml\nproc_creation_win_wmic_service.yml\nproc_creation_win_wmiprvse_spawning_process.yml\nproc_creation_win_wmic_unquoted_service_search.yml\nproc_creation_win_impacket_lateralization.yml\nproc_creation_win_wmic_remote_service.yml\nproc_creation_win_susp_wmic_proc_create.yml\nproc_creation_win_bypass_squiblytwo.yml\nproc_creation_win_office_applications_spawning_wmi_commandline.yml\nproc_creation_win_lolbins_with_wmiprvse_parent_process.yml\nproc_creation_win_wmic_remote_command.yml\nproc_creation_win_mal_blue_mockingbird.yml\nproc_creation_win_susp_crackmapexec_execution.yml\nproc_creation_win_wmic_remove_application.yml\nproc_creation_win_apt_unc2452_ps.yml\nproc_creation_win_office_from_proxy_executing_regsvr32_payload.yml\nproc_creation_win_susp_wmic_execution.yml\nproc_creation_win_office_spawning_wmi_commandline.yml\nproc_creation_win_wmic_reconnaissance.yml\nproc_creation_win_wmic_hotfix_enum.yml\nproc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml\nproc_creation_win_html_help_spawn.yml\nproc_creation_win_script_event_consumer_spawn.yml\nwin_wmiprvse_wbemcomn_dll_hijack.yml\nwin_susp_wmi_login.yml\nwin_defender_psexec_wmi_asr.yml"
},
{
"techniqueID": "T1595.002",
"score": 1,
"comment": "net_dns_external_service_interaction_domains.yml"
},
{
"techniqueID": "T1567",
"score": 4,
"comment": "net_dns_pua_cryptocoin_mining_xmr.yml\nproc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml\nproc_creation_win_susp_curl_fileupload.yml\nproc_creation_win_lolbin_configsecuritypolicy.yml"
},
{
"techniqueID": "T1547.001",
"score": 28,
"comment": "apt_silence_downloader_v3.yml\nfile_event_win_susp_startup_folder_persistence.yml\nfile_event_win_startup_folder_file_write.yml\nfile_event_win_powershell_startup_shortcuts.yml\nregistry_set_asep_reg_keys_modification_session_manager.yml\nregistry_set_asep_reg_keys_modification_internet_explorer.yml\nregistry_set_asep_reg_keys_modification_currentcontrolset.yml\nregistry_set_asep_reg_keys_modification_wow6432node.yml\nregistry_set_asep_reg_keys_modification_currentversion_nt.yml\nregistry_set_asep_reg_keys_modification_winsock2.yml\nregistry_set_asep_reg_keys_modification_classes.yml\nregistry_set_asep_reg_keys_modification_wow6432node_currentversion.yml\nregistry_set_susp_reg_persist_explorer_run.yml\nregistry_set_asep_reg_keys_modification_common.yml\nregistry_set_vbs_payload_stored.yml\nregistry_set_susp_run_key_img_folder.yml\nregistry_set_asep_reg_keys_modification_currentversion.yml\nregistry_set_powershell_in_run_keys.yml\nregistry_set_asep_reg_keys_modification_office.yml\nregistry_set_asep_reg_keys_modification_wow6432node_classes.yml\nregistry_set_asep_reg_keys_modification_system_scripts.yml\nregistry_event_narrator_feedback_persistance.yml\nregistry_event_apt_leviathan.yml\nregistry_event_susp_download_run_key.yml\nproc_creation_win_susp_vbscript_unc2452.yml\nproc_creation_win_reg_add_run_key.yml\nproc_creation_win_malware_ryuk.yml\nproc_creation_win_susp_direct_asep_reg_keys_modification.yml"
},
{
"techniqueID": "T1059.001",
"score": 174,
"comment": "apt_silence_eda.yml\naws_ec2_startup_script_change.yml\npipe_created_alternate_powershell_hosts_pipe.yml\npipe_created_powershell_execution_pipe.yml\nfile_event_win_powershell_exploit_scripts.yml\nfile_event_win_cve_2022_24527_lpe.yml\nfile_event_bloodhound_collection.yml\nfile_event_win_susp_clr_logs.yml\nposh_pc_alternate_powershell_hosts.yml\nposh_pc_xor_commandline.yml\nposh_pc_downgrade_attack.yml\nposh_pc_exe_calling_ps.yml\nposh_pc_wsman_com_provider_no_powershell.yml\nposh_pc_susp_download.yml\nposh_pc_remote_powershell_session.yml\nposh_pc_renamed_powershell.yml\nposh_ps_xml_iex.yml\nposh_ps_prompt_credentials.yml\nposh_ps_susp_download.yml\nposh_ps_susp_invocation_generic.yml\nposh_ps_invoke_obfuscation_obfuscated_iex.yml\nposh_ps_invoke_obfuscation_clip.yml\nposh_ps_susp_keywords.yml\nposh_ps_wmimplant.yml\nposh_ps_invoke_obfuscation_via_use_mhsta.yml\nposh_ps_invoke_obfuscation_via_stdin.yml\nposh_ps_nishang_malicious_commandlets.yml\nposh_ps_invoke_obfuscation_via_use_clip.yml\nposh_ps_import_module_susp_dirs.yml\nposh_ps_invoke_obfuscation_stdin.yml\nposh_ps_invoke_obfuscation_via_var.yml\nposh_ps_malicious_commandlets.yml\nposh_ps_powerview_malicious_commandlets.yml\nposh_ps_shellintel_malicious_commandlets.yml\nposh_ps_remote_session_creation.yml\nposh_ps_adrecon_execution.yml\nposh_ps_accessing_win_api.yml\nposh_ps_invoke_obfuscation_via_compress.yml\nposh_ps_invoke_obfuscation_via_use_rundll32.yml\nposh_ps_shellcode_b64.yml\nposh_ps_set_policies_to_unsecure_level.yml\nposh_ps_msxml_com.yml\nposh_ps_susp_invocation_specific.yml\nposh_ps_dnscat_execution.yml\nposh_ps_psattack.yml\nposh_ps_ntfs_ads_access.yml\nposh_ps_invoke_obfuscation_via_rundll.yml\nposh_ps_create_local_user.yml\nposh_ps_invoke_obfuscation_var.yml\nposh_ps_malicious_keywords.yml\nposh_ps_web_request.yml\nposh_pm_invoke_obfuscation_var.yml\nposh_pm_invoke_obfuscation_obfuscated_iex.yml\nposh_pm_susp_download.yml\nposh_pm_susp_invocation_specific.yml\nposh_pm_bad_opsec_artifacts.yml\nposh_pm_invoke_obfuscation_via_use_clip.yml\nposh_pm_invoke_obfuscation_via_use_rundll32.yml\nposh_pm_invoke_obfuscation_via_rundll.yml\nposh_pm_invoke_obfuscation_via_compress.yml\nposh_pm_remote_powershell_session.yml\nposh_pm_invoke_obfuscation_via_use_mhsta.yml\nposh_pm_alternate_powershell_hosts.yml\nposh_pm_invoke_obfuscation_stdin.yml\nposh_pm_invoke_obfuscation_via_stdin.yml\nposh_pm_susp_invocation_generic.yml\nposh_pm_invoke_obfuscation_clip.yml\nposh_pm_invoke_obfuscation_via_var.yml\nproc_access_win_mimikatz_trough_winrm.yml\nimage_load_alternate_powershell_hosts_moduleload.yml\nimage_load_wsman_provider_image_load.yml\nimage_load_in_memory_powershell.yml\nsysmon_susp_powershell_rundll32.yml\nsysmon_powershell_code_injection.yml\nproc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml\nproc_creation_win_powershell_download_patterns.yml\nproc_creation_win_exploit_cve_2020_1048.yml\nproc_creation_win_susp_powershell_parent_process.yml\nproc_creation_win_powershell_snapins_hafnium.yml\nproc_creation_win_schtasks_powershell_windowsapps_execution.yml\nproc_creation_win_powershell_cmdline_specific_comb_methods.yml\nproc_creation_win_susp_crackmapexec_powershell_obfuscation.yml\nproc_creation_win_apt_unc2452_cmds.yml\nproc_creation_win_wmi_spwns_powershell.yml\nproc_creation_win_susp_powershell_encoded_param.yml\nproc_creation_win_invoke_obfuscation_stdin.yml\nproc_creation_win_invoke_obfuscation_via_use_rundll32.yml\nproc_creation_win_susp_powershell_cmd_patterns.yml\nproc_creation_win_susp_base64_load.yml\nproc_creation_win_powershell_cmdline_convertto_securestring.yml\nproc_creation_win_encoded_frombase64string.yml\nproc_creation_win_encoded_iex.yml\nproc_creation_win_susp_use_of_sqlps_bin.yml\nproc_creation_win_apt_wocao.yml\nproc_creation_win_susp_covenant.yml\nproc_creation_win_exploit_cve_2020_10189.yml\nproc_creation_win_susp_cmd_http_appdata.yml\nproc_creation_win_apt_greenbug_may20.yml\nproc_creation_win_invoke_obfuscation_via_compress.yml\nproc_creation_win_malware_emotet.yml\nproc_creation_win_susp_powershell_enc_cmd.yml\nproc_creation_win_embed_exe_lnk.yml\nproc_creation_win_invoke_obfuscation_via_use_mhsta.yml\nproc_creation_win_base64_invoke_susp_cmdlets.yml\nproc_creation_win_long_powershell_commandline.yml\nproc_creation_win_susp_powershell_hidden_b64_cmd.yml\nproc_creation_win_apt_turla_comrat_may20.yml\nproc_creation_win_powershell_frombase64string.yml\nproc_creation_win_powershell_download.yml\nproc_creation_win_base64_reflective_assembly_load.yml\nproc_creation_win_set_policies_to_unsecure_level.yml\nproc_creation_win_schtasks_appdata_local_system.yml\nproc_creation_win_powersploit_empire_schtasks.yml\nproc_creation_win_susp_powershell_encode.yml\nproc_creation_win_base64_listing_shadowcopy.yml\nproc_creation_win_invoke_obfuscation_via_rundll.yml\nproc_creation_win_apt_tropictrooper.yml\nproc_creation_win_hack_bloodhound.yml\nproc_creation_win_apt_babyshark.yml\nproc_creation_win_exfil_data_via_cli.yml\nproc_creation_win_susp_crackmapexec_execution.yml\nproc_creation_win_powershell_reverse_shell_connection.yml\nproc_creation_win_invoke_obfuscation_var.yml\nproc_creation_win_susp_web_request_cmd.yml\nproc_creation_win_non_interactive_powershell.yml\nproc_creation_win_shell_spawn_susp_program.yml\nproc_creation_win_apt_unc2452_ps.yml\nproc_creation_win_invoke_obfuscation_via_use_clip.yml\nproc_creation_win_powershell_downgrade_attack.yml\nproc_creation_win_susp_pester.yml\nproc_creation_win_susp_base64_invoke.yml\nproc_creation_win_susp_use_of_sqltoolsps_bin.yml\nproc_creation_win_susp_powershell_webclient_casing.yml\nproc_creation_win_powershell_cmdline_special_characters.yml\nproc_creation_win_invoke_obfuscation_via_stdin.yml\nproc_creation_win_schtasks_reg_loader.yml\nproc_creation_win_powershell_xor_commandline.yml\nproc_creation_win_susp_powershell_parent_combo.yml\nproc_creation_win_susp_ps_downloadfile.yml\nproc_creation_win_html_help_spawn.yml\nproc_creation_win_apt_apt29_thinktanks.yml\nproc_creation_win_susp_powershell_empire_launch.yml\nproc_creation_win_susp_ps_appdata.yml\nproc_creation_win_powershell_cmdline_susp_comb_methods.yml\nproc_creation_win_powershell_cmdline_reversed_strings.yml\nproc_creation_win_invoke_obfuscation_via_var.yml\nproc_creation_win_invoke_obfuscation_clip.yml\nproc_creation_win_powershell_susp_parameter_variation.yml\nproc_creation_win_remote_powershell_session_process.yml\nwin_applocker_file_was_not_allowed_to_run.yml\nwin_invoke_obfuscation_via_compress_services_security.yml\nwin_invoke_obfuscation_via_rundll_services_security.yml\nwin_remote_powershell_session.yml\nwin_invoke_obfuscation_var_services_security.yml\nwin_invoke_obfuscation_via_use_mshta_services_security.yml\nwin_invoke_obfuscation_clip_services_security.yml\nwin_invoke_obfuscation_via_use_rundll32_services_security.yml\nwin_invoke_obfuscation_via_use_clip_services_security.yml\nwin_invoke_obfuscation_via_var_services_security.yml\nwin_apt_wocao.yml\nwin_invoke_obfuscation_stdin_services_security.yml\nwin_invoke_obfuscation_via_stdin_services_security.yml\nwin_invoke_obfuscation_stdin_services.yml\nwin_invoke_obfuscation_via_var_services.yml\nwin_invoke_obfuscation_via_use_clip_services.yml\nwin_invoke_obfuscation_via_use_mshta_services.yml\nwin_invoke_obfuscation_via_stdin_services.yml\nwin_invoke_obfuscation_clip_services.yml\nwin_invoke_obfuscation_via_compress_services.yml\nwin_invoke_obfuscation_var_services.yml\nwin_invoke_obfuscation_via_rundll_services.yml\nwin_invoke_obfuscation_via_use_rundll32_services.yml\nnet_connection_win_remote_powershell_session_network.yml\nnet_connection_win_powershell_network_connection.yml"
},
{
"techniqueID": "T1572",
"score": 7,
"comment": "apt_silence_eda.yml\nproc_creation_win_susp_plink_usage.yml\nproc_creation_win_exfiltration_and_tunneling_tools_execution.yml\nproc_creation_win_susp_plink_remote_forward.yml\nproc_creation_win_susp_ngrok_pua.yml\nnet_connection_win_rdp_to_http.yml\nnet_connection_win_rdp_reverse_tunnel.yml"
},
{
"techniqueID": "T1548",
"score": 16,
"comment": "file_create_lnx_doas_conf_creation.yml\nlnx_auditd_capabilities_discovery.yml\nproc_creation_lnx_doas_execution.yml\nazure_aad_secops_ca_policy_updatedby_bad_actor.yml\nazure_aad_secops_new_ca_policy_addedby_bad_actor.yml\nazure_aad_secops_ca_policy_removedby_bad_actor.yml\naws_sts_assumerole_misuse.yml\naws_sts_getsessiontoken_misuse.yml\naws_susp_saml_activity.yml\nposh_ps_invoke_nightmare.yml\nproc_access_win_svchost_cred_dump.yml\nregistry_set_comhijack_sdclt.yml\nproc_creation_win_abusing_debug_privilege.yml\nproc_creation_win_susp_regedit_trustedinstaller.yml\nwin_scm_database_privileged_operation.yml\nwin_vul_cve_2020_1472.yml"
},
{
"techniqueID": "T1589",
"score": 1,
"comment": "lnx_ssh_cve_2018_15473.yml"
},
{
"techniqueID": "T1562.004",
"score": 13,
"comment": "lnx_security_tools_disabling_syslog.yml\nlnx_auditd_bpfdoor_port_redirect.yml\nlnx_auditd_disable_system_firewall.yml\nproc_creation_lnx_security_tools_disabling.yml\nposh_ps_windows_firewall_profile_disabled.yml\nregistry_set_disable_windows_firewall.yml\nregistry_set_disable_defender_firewall.yml\nproc_creation_win_netsh_fw_delete.yml\nproc_creation_win_susp_firewall_disable.yml\nproc_creation_win_netsh_fw_enable_group_rule.yml\nproc_creation_win_netsh_fw_add_susp_image.yml\nproc_creation_win_netsh_allow_port_rdp.yml\nproc_creation_win_netsh_fw_add.yml"
},
{
"techniqueID": "T1212",
"score": 8,
"comment": "lnx_susp_guacamole.yml\nazure_legacy_authentication_protocols.yml\nproc_creation_win_susp_ntlmrelay.yml\nproc_creation_win_apt_gallium.yml\nproc_creation_win_apt_gallium_sha1.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml\nwin_audit_cve.yml"
},
{
"techniqueID": "T1588.001",
"score": 1,
"comment": "lnx_clamav.yml"
},
{
"techniqueID": "T1036.003",
"score": 20,
"comment": "lnx_auditd_masquerading_crond.yml\nposh_ps_susp_start_process.yml\nproc_creation_win_bitsadmin_download_susp_ext.yml\nproc_creation_win_renamed_powershell.yml\nproc_creation_win_bitsadmin_download_susp_targetfolder.yml\nproc_creation_win_renamed_psexec.yml\nproc_creation_win_renamed_jusched.yml\nproc_creation_win_renamed_binary.yml\nproc_creation_win_renamed_procdump.yml\nproc_creation_win_bitsadmin_download_susp_domain.yml\nproc_creation_win_bitsadmin_download_uncommon_targetfolder.yml\nproc_creation_win_renamed_browsercore.yml\nproc_creation_win_bitsadmin_download.yml\nproc_creation_win_apt_ta17_293a_ps.yml\nproc_creation_win_susp_copy_system32.yml\nproc_creation_win_bitsadmin_download_susp_ip.yml\nproc_creation_win_proc_wrong_parent.yml\nproc_creation_win_renamed_binary_highly_relevant.yml\nproc_creation_win_renamed_paexec.yml\nproc_creation_win_renamed_msdt.yml"
},
{
"techniqueID": "T1115",
"score": 6,
"comment": "lnx_auditd_clipboard_collection.yml\nlnx_auditd_clipboard_image_collection.yml\nproc_creation_lnx_clipboard_collection.yml\nposh_pm_get_clipboard.yml\nproc_creation_win_powershell_get_clipboard.yml\nproc_creation_win_clip.yml"
},
{
"techniqueID": "T1485",
"score": 9,
"comment": "lnx_auditd_dd_delete_file.yml\nproc_creation_lnx_dd_file_overwrite.yml\nmicrosoft365_unusual_volume_of_file_deletion.yml\naws_efs_fileshare_mount_modified_or_deleted.yml\naws_eks_cluster_created_or_deleted.yml\nproc_creation_win_run_from_zip.yml\nproc_creation_win_susp_cipher.yml\nproc_creation_win_sdelete.yml\nwin_susp_sdelete.yml"
},
{
"techniqueID": "T1546.004",
"score": 1,
"comment": "lnx_auditd_alter_bash_profile.yml"
},
{
"techniqueID": "T1222.002",
"score": 3,
"comment": "lnx_auditd_chattr_immutable_removal.yml\nlnx_auditd_file_or_folder_permissions.yml\nproc_creation_lnx_susp_chmod_directories.yml"
},
{
"techniqueID": "T1027.003",
"score": 5,
"comment": "lnx_auditd_steghide_embed_steganography.yml\nlnx_auditd_steghide_extract_steganography.yml\nlnx_auditd_hidden_zip_files_steganography.yml\nlnx_auditd_unzip_hidden_zip_files_steganography.yml\nproc_creation_win_susp_findstr_lnk.yml"
},
{
"techniqueID": "T1106",
"score": 11,
"comment": "lnx_auditd_bpfdoor_file_accessed.yml\npipe_created_apt_turla_namedpipes.yml\nposh_ps_accessing_win_api.yml\nproc_access_win_direct_syscall_ntopenprocess.yml\nproc_access_win_cobaltstrike_bof_injection_pattern.yml\nproc_access_win_handlekatz_lsass_access.yml\nproc_creation_win_susp_mshta_pattern.yml\nproc_creation_win_redmimicry_winnti_proc.yml\nproc_creation_win_susp_cdb.yml\nproc_creation_win_apt_lazarus_activity_apr21.yml\nproc_creation_win_apt_ta505_dropper.yml"
},
{
"techniqueID": "T1059",
"score": 39,
"comment": "lnx_auditd_bpfdoor_file_accessed.yml\nproc_creation_lnx_susp_java_children.yml\nproc_creation_lnx_python_pty_spawn.yml\nproc_creation_lnx_cve_2022_26134_atlassian_confluence.yml\nazure_new_cloudshell_created.yml\nfile_event_win_pcre_net_temp_file.yml\nimage_load_pcre_net_load.yml\nproc_creation_win_cmd_dosfuscation.yml\nproc_creation_win_network_scan_loop.yml\nproc_creation_win_susp_runscripthelper.yml\nproc_creation_win_apt_turla_commands_medium.yml\nproc_creation_win_susp_sysprep_appdata.yml\nproc_creation_win_lolbin_forfiles.yml\nproc_creation_win_run_powershell_script_from_input_stream.yml\nproc_creation_win_susp_script_exec_from_env_folder.yml\nproc_creation_win_susp_script_exec_from_temp.yml\nproc_creation_win_lolbin_fsharp_interpreters.yml\nproc_creation_win_susp_ftp.yml\nproc_creation_win_cobaltstrike_process_patterns.yml\nproc_creation_win_susp_rasdial_activity.yml\nproc_creation_win_apt_lazarus_activity_dec20.yml\nproc_creation_win_susp_control_cve_2021_40444.yml\nproc_creation_win_apt_lazarus_loader.yml\nproc_creation_win_susp_outlook.yml\nproc_creation_win_apt_turla_commands_critical.yml\nproc_creation_win_apt_revil_kaseya.yml\nproc_creation_win_lolbin_execution_via_winget.yml\nproc_creation_win_multiple_susp_cli.yml\nproc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml\nproc_creation_win_fsutil_symlinkevaluation.yml\nproc_creation_win_hiding_malware_in_fonts_folder.yml\nproc_creation_win_python_pty_spawn.yml\nproc_creation_win_vmtoolsd_susp_child_process.yml\nproc_creation_win_lolbin_pcalua.yml\nproc_creation_win_lolbin_openconsole.yml\nwin_alert_ruler.yml\nwin_defender_amsi_trigger.yml\nwin_defender_threat.yml\nwin_defender_exploit_guard_tamper.yml"
},
{
"techniqueID": "T1123",
"score": 6,
"comment": "lnx_auditd_audio_capture.yml\nlnx_auditd_capabilities_discovery.yml\nregistry_event_susp_mic_cam_access.yml\nproc_creation_win_powershell_audio_capture.yml\nproc_creation_win_soundrec_audio_capture.yml\nwin_camera_microphone_access.yml"
},
{
"techniqueID": "T1562.006",
"score": 4,
"comment": "lnx_auditd_auditing_config_change.yml\nlnx_auditd_logging_config_change.yml\nposh_ps_etw_trace_evasion.yml\nproc_creation_win_etw_trace_evasion.yml"
},
{
"techniqueID": "T1543.002",
"score": 2,
"comment": "lnx_auditd_pers_systemd_reload.yml\nlnx_auditd_systemd_service_creation.yml"
},
{
"techniqueID": "T1059.004",
"score": 8,
"comment": "lnx_auditd_susp_cmds.yml\nproc_creation_lnx_bpftrace_unsafe_option_usage.yml\nlnx_apt_equationgroup_lnx.yml\nlnx_shell_susp_rev_shells.yml\nlnx_shell_susp_commands.yml\nlnx_shell_priv_esc_prep.yml\nlnx_susp_jexboss.yml\naws_ec2_startup_script_change.yml"
},
{
"techniqueID": "T1547.006",
"score": 1,
"comment": "lnx_auditd_load_module_insmod.yml"
},
{
"techniqueID": "T1574.006",
"score": 2,
"comment": "lnx_auditd_ld_so_preload_mod.yml\nlnx_ldso_preload_injection.yml"
},
{
"techniqueID": "T1587",
"score": 5,
"comment": "lnx_auditd_susp_exe_folders.yml\nfile_event_win_winword_cve_2021_40444.yml\nfile_event_win_cve_2021_1675_printspooler.yml\nimage_load_foggyweb_nobelium.yml\nproc_creation_win_purplesharp_indicators.yml"
},
{
"techniqueID": "T1584",
"score": 2,
"comment": "lnx_auditd_susp_exe_folders.yml\nwin_susp_system_update_error.yml"
},
{
"techniqueID": "T1564.001",
"score": 8,
"comment": "lnx_auditd_hidden_files_directories.yml\nregistry_set_powershell_logging_disabled.yml\nregistry_set_hide_file.yml\nregistry_set_add_load_service_in_safe_mode.yml\nproc_creation_win_attrib_hiding_files.yml\nproc_creation_win_attrib_system_susp_paths.yml\nproc_creation_win_icacls_deny.yml\nproc_creation_win_attrib_system.yml"
},
{
"techniqueID": "T1003",
"score": 15,
"comment": "lnx_auditd_keylogging_with_pam_d.yml\nazure_rare_operations.yml\nav_password_dumper.yml\nfile_event_win_mimimaktz_memssp_log_file.yml\nposh_ps_memorydump_getstoragediagnosticinfo.yml\nimage_load_mimikatz_inmemory_detection.yml\nproc_creation_win_shadow_copies_creation.yml\nproc_creation_win_hack_rubeus.yml\nproc_creation_win_susp_esentutl_params.yml\nproc_creation_win_susp_rpcping.yml\nproc_creation_win_susp_reg_open_command.yml\nproc_creation_win_susp_lsass_clone.yml\nfile_access_win_browser_credential_stealing.yml\nwin_mal_wceaux_dll.yml\nwin_security_mal_service_installs.yml"
},
{
"techniqueID": "T1056.001",
"score": 2,
"comment": "lnx_auditd_keylogging_with_pam_d.yml\nposh_ps_keylogging.yml"
},
{
"techniqueID": "T1499",
"score": 1,
"comment": "modsec_mulitple_blocks.yml"
},
{
"techniqueID": "T1140",
"score": 11,
"comment": "proc_creation_lnx_base64_execution.yml\nproc_creation_lnx_susp_pipe_shell.yml\nposh_pm_decompress_commands.yml\nregistry_set_dns_over_https_enabled.yml\nproc_creation_win_susp_cli_escape.yml\nproc_creation_win_susp_mshta_execution.yml\nproc_creation_win_encoded_frombase64string.yml\nproc_creation_win_susp_ping_hex_ip.yml\nproc_creation_win_susp_certutil_command.yml\nproc_creation_win_powershell_frombase64string.yml\nproc_creation_win_powershell_xor_commandline.yml"
},
{
"techniqueID": "T1592.004",
"score": 3,
"comment": "proc_creation_lnx_cat_sudoers.yml\nproc_creation_lnx_susp_recon_indicators.yml\nproc_creation_lnx_susp_history_recon.yml"
},
{
"techniqueID": "T1014",
"score": 1,
"comment": "proc_creation_lnx_triple_cross_rootkit_install.yml"
},
{
"techniqueID": "T1548.003",
"score": 2,
"comment": "lnx_sudo_cve_2019_14287_user.yml\nlnx_sudo_cve_2019_14287.yml"
},
{
"techniqueID": "T1204.001",
"score": 1,
"comment": "lnx_symlink_etc_passwd.yml"
},
{
"techniqueID": "T1548.001",
"score": 1,
"comment": "lnx_pwnkit_local_privilege_escalation.yml"
},
{
"techniqueID": "T1078",
"score": 41,
"comment": "azure_ad_only_single_factor_auth_required.yml\nazure_ad_sign_ins_from_unknown_devices.yml\nazure_user_password_change.yml\nazure_pim_change_settings.yml\nazure_privileged_account_creation.yml\nazure_tap_added.yml\nazure_ad_account_created_deleted.yml\nazure_ad_auth_failure_increase.yml\nazure_ad_auth_sucess_increase.yml\nazure_guest_to_member.yml\nazure_ad_sign_ins_from_noncompliant_devices.yml\nazure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml\nazure_ad_device_registration_or_join_without_mfa.yml\nazure_pim_activation_approve_deny.yml\nazure_ad_users_added_to_device_admin_roles.yml\nazure_federation_modified.yml\nazure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml\nazure_subscription_permissions_elevation_via_activitylogs.yml\nazure_subscription_permissions_elevation_via_auditlogs.yml\nazure_guest_invite_failure.yml\nazure_unusual_authentication_interruption.yml\nazure_app_ropc_authentication.yml\nazure_ad_bitlocker_key_retrieval.yml\nazure_users_authenticating_to_other_azure_ad_tenants.yml\nazure_app_device_code_authentication.yml\nazure_kubernetes_admission_controller.yml\nazure_ad_auth_to_important_apps_using_single_factor_auth.yml\nazure_login_to_disabled_account.yml\nazure_ad_authentications_from_countries_you_do_not_operate_out_of.yml\ngcp_kubernetes_admission_controller.yml\nmicrosoft365_logon_from_risky_ip_address.yml\nmicrosoft365_impossible_travel_activity.yml\naws_lambda_function_created_or_invoked.yml\naws_susp_saml_activity.yml\nposh_pm_susp_reset_computermachinepassword.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_failed_logons_single_source2.yml\nwin_susp_logon_explicit_credentials.yml\nwin_user_added_to_local_administrators.yml\nwin_susp_failed_logon_source.yml\nwin_susp_failed_logons_single_source.yml"
},
{
"techniqueID": "T1078.004",
"score": 3,
"comment": "azure_mfa_denies.yml\nazure_mfa_interrupted.yml\naws_root_account_usage.yml"
},
{
"techniqueID": "T1556",
"score": 1,
"comment": "azure_mfa_disabled.yml"
},
{
"techniqueID": "T1578",
"score": 1,
"comment": "azure_aadhybridhealth_adfs_new_server.yml"
},
{
"techniqueID": "T1562",
"score": 8,
"comment": "azure_kubernetes_events_deleted.yml\ngcp_firewall_rule_modified_or_deleted.yml\naws_securityhub_finding_evasion.yml\nregistry_delete_removal_sd_value_scheduled_task_hide.yml\nproc_creation_win_etw_modification_cmdline.yml\nproc_creation_win_sysmon_driver_unload.yml\nproc_creation_win_write_protect_for_storage_disabled.yml\nwin_system_application_sysmon_crash.yml"
},
{
"techniqueID": "T1552",
"score": 5,
"comment": "azure_keyvault_key_modified_or_deleted.yml\nazure_keyvault_modified_or_deleted.yml\nazure_kubernetes_admission_controller.yml\nazure_keyvault_secrets_modified_or_deleted.yml\ngcp_kubernetes_admission_controller.yml"
},
{
"techniqueID": "T1578.003",
"score": 1,
"comment": "azure_aadhybridhealth_adfs_service_delete.yml"
},
{
"techniqueID": "T1098.003",
"score": 1,
"comment": "azure_ad_user_added_to_admin_role.yml"
},
{
"techniqueID": "T1552.007",
"score": 2,
"comment": "azure_kubernetes_admission_controller.yml\ngcp_kubernetes_admission_controller.yml"
},
{
"techniqueID": "T1484",
"score": 2,
"comment": "azure_pim_alerts_disabled.yml\nazure_ad_device_registration_policy_changes.yml"
},
{
"techniqueID": "T1531",
"score": 3,
"comment": "gcp_service_account_disabled_or_deleted.yml\naws_elasticache_security_group_modified_or_deleted.yml\nposh_ps_susp_remove_adgroupmember.yml"
},
{
"techniqueID": "T1565",
"score": 2,
"comment": "gcp_dlp_re_identifies_sensitive_information.yml\naws_ec2_disable_encryption.yml"
},
{
"techniqueID": "T1020",
"score": 5,
"comment": "microsoft365_susp_inbox_forwarding.yml\naws_ec2_download_userdata.yml\naws_rds_public_db_restore.yml\naws_rds_change_master_password.yml\nposh_ps_upload.yml"
},
{
"techniqueID": "T1573",
"score": 4,
"comment": "microsoft365_activity_from_anonymous_ip_addresses.yml\nmicrosoft365_from_susp_ip_addresses.yml\nmicrosoft365_activity_from_infrequent_country.yml\nposh_ps_susp_ssl_keyword.yml"
},
{
"techniqueID": "T1537",
"score": 4,
"comment": "microsoft365_data_exfiltration_to_unsanctioned_app.yml\naws_snapshot_backup_exfiltration.yml\naws_ec2_vm_export_failure.yml\naws_s3_data_management_tampering.yml"
},
{
"techniqueID": "T1136.003",
"score": 2,
"comment": "microsoft365_new_federated_domain_added.yml\naws_elasticache_security_group_created.yml"
},
{
"techniqueID": "T1486",
"score": 10,
"comment": "microsoft365_potential_ransomware_activity.yml\naws_ec2_disable_encryption.yml\nav_ransomware.yml\nfile_rename_win_ransomware.yml\nfile_event_win_susp_desktop_txt.yml\nproc_creation_win_susp_reg_bitlocker.yml\nproc_creation_win_mal_lockergoga_ransomware.yml\nproc_creation_win_conti_cmd_ransomware.yml\nproc_creation_win_malware_wannacry.yml\nwin_susp_multiple_files_renamed_or_deleted.yml"
},
{
"techniqueID": "T1199",
"score": 1,
"comment": "microsoft365_user_restricted_from_sending_email.yml"
},
{
"techniqueID": "T1592",
"score": 1,
"comment": "aws_enum_listing.yml"
},
{
"techniqueID": "T1525",
"score": 1,
"comment": "aws_ecs_task_definition_backdoor.yml"
},
{
"techniqueID": "T1550",
"score": 3,
"comment": "aws_sts_assumerole_misuse.yml\naws_sts_getsessiontoken_misuse.yml\naws_susp_saml_activity.yml"
},
{
"techniqueID": "T1550.001",
"score": 3,
"comment": "aws_sts_assumerole_misuse.yml\naws_sts_getsessiontoken_misuse.yml\naws_susp_saml_activity.yml"
},
{
"techniqueID": "T1059.003",
"score": 20,
"comment": "aws_ec2_startup_script_change.yml\nposh_ps_susp_execute_batch_script.yml\nproc_creation_win_apt_elise.yml\nproc_creation_win_cobaltstrike_bloopers_cmd.yml\nproc_creation_win_apt_sofacy.yml\nproc_creation_win_commandline_path_traversal.yml\nproc_creation_win_exploit_cve_2020_10189.yml\nproc_creation_win_susp_cmd_http_appdata.yml\nproc_creation_win_jlaive_batch_execution.yml\nproc_creation_win_apt_zxshell.yml\nproc_creation_win_hwp_exploits.yml\nproc_creation_win_redmimicry_winnti_proc.yml\nproc_creation_win_apt_babyshark.yml\nproc_creation_win_susp_crackmapexec_execution.yml\nproc_creation_win_conhost_path_traversal.yml\nproc_creation_win_hack_koadic.yml\nproc_creation_win_html_help_spawn.yml\nproc_creation_win_exploit_cve_2019_1378.yml\nproc_creation_win_cobaltstrike_bloopers_modules.yml\nwin_applocker_file_was_not_allowed_to_run.yml"
},
{
"techniqueID": "T1136",
"score": 1,
"comment": "aws_elasticache_security_group_created.yml"
},
{
"techniqueID": "T1087",
"score": 9,
"comment": "rpc_firewall_sharphound_recon_account.yml\nposh_ps_azurehound_commands.yml\nproc_creation_win_apt_dragonfly.yml\nproc_creation_win_susp_psloglist.yml\nproc_creation_win_susp_commands_recon_activity.yml\nproc_creation_win_webshell_detection.yml\nproc_creation_win_susp_recon_net_activity.yml\nproc_creation_win_webshell_hacking.yml\nwin_alert_ruler.yml"
},
{
"techniqueID": "T1021.003",
"score": 8,
"comment": "rpc_firewall_remote_dcom_or_wmi.yml\nposh_pc_wsman_com_provider_no_powershell.yml\nimage_load_wsman_provider_image_load.yml\nproc_creation_win_impacket_lateralization.yml\nproc_creation_win_mmc_spawn_shell.yml\nproc_creation_win_mmc20_lateral_movement.yml\nsysmon_dcom_iertutil_dll_hijack.yml\nwin_dcom_iertutil_dll_hijack.yml"
},
{
"techniqueID": "T1204",
"score": 7,
"comment": "av_hacktool.yml\nregistry_event_mimikatz_printernightmare.yml\nproc_creation_win_arbitrary_shell_execution_via_settingcontent.yml\nproc_creation_win_mal_ryuk.yml\nproc_creation_win_crime_snatch_ransomware.yml\nproc_creation_win_mal_darkside_ransomware.yml\nproc_creation_win_susp_run_folder.yml"
},
{
"techniqueID": "T1055",
"score": 22,
"comment": "av_printernightmare_cve_2021_34527.yml\npipe_created_mal_cobaltstrike.yml\npipe_created_efspotato_namedpipe.yml\npipe_created_mal_namedpipes.yml\npipe_created_susp_cobaltstrike_pipe_patterns.yml\npipe_created_mal_cobaltstrike_re.yml\nfile_event_win_susp_creation_by_mobsync.yml\nposh_ps_shellcode_b64.yml\nprocess_access_win_shellcode_inject_msf_empire.yml\nproc_access_win_malware_verclsid_shellcode.yml\nimage_load_susp_script_dotnet_clr_dll_load.yml\nimage_load_usp_svchost_clfsw32.yml\nsysmon_susp_remote_thread.yml\nproc_creation_win_susp_userinit_child.yml\nproc_creation_win_malware_dridex.yml\nproc_creation_win_susp_dllhost_no_cli.yml\nproc_creation_win_dinjector.yml\nproc_creation_win_susp_svchost_no_cli.yml\nproc_creation_win_msra_process_injection.yml\nproc_creation_win_susp_rundll32_inline_vbs.yml\nnet_connection_win_notepad_network_connection.yml\nnet_connection_win_susp_outbound_mobsync_connection.yml"
},
{
"techniqueID": "T1588",
"score": 2,
"comment": "av_relevant_files.yml\nwin_av_relevant_match.yml"
},
{
"techniqueID": "T1219",
"score": 19,
"comment": "av_exploiting.yml\nfile_event_win_susp_teamviewer_remote_session.yml\nfile_event_win_gotoopener_artefact.yml\nfile_event_win_tsclient_filewrite_startup.yml\nfile_event_win_anydesk_artefact.yml\nfile_event_win_install_teamviewer_desktop.yml\nfile_event_win_screenconnect_artefact.yml\nproc_creation_win_susp_tscon_localsystem.yml\nproc_creation_win_anydesk_silent_install.yml\nproc_creation_win_anydesk_susp_folder.yml\nproc_creation_win_logmein.yml\nproc_creation_win_anydesk.yml\nproc_creation_win_gotoopener.yml\nproc_creation_win_screenconnect.yml\nproc_creation_win_screenconnect_anomaly.yml\nwin_susp_ntlm_rdp.yml\nwin_software_atera_rmm_agent_install.yml\ndns_query_win_susp_teamviewer.yml\ndns_query_remote_access_software_domains.yml"
},
{
"techniqueID": "T1558",
"score": 3,
"comment": "av_password_dumper.yml\nfile_event_win_mimikatz_kirbi_file_creation.yml\nnet_connection_win_susp_outbound_kerberos_connection.yml"
},
{
"techniqueID": "T1134.001",
"score": 5,
"comment": "pipe_created_koh_default_pipe.yml\nproc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml\ndriver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml\nwin_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml\nwin_meterpreter_or_cobaltstrike_getsystem_service_installation.yml"
},
{
"techniqueID": "T1003.005",
"score": 8,
"comment": "pipe_created_cred_dump_tools_named_pipes.yml\nfile_event_win_cred_dump_tools_dropped_files.yml\nproc_creation_win_mimikatz_command_line.yml\nproc_creation_win_cmdkey_recon.yml\nproc_creation_win_grabbing_sensitive_hives_via_reg.yml\ndriver_load_mal_creddumper.yml\nwin_security_mal_creddumper.yml\nwin_mal_creddumper.yml"
},
{
"techniqueID": "T1218",
"score": 83,
"comment": "file_event_win_susp_creation_by_mobsync.yml\nfile_event_win_susp_clr_logs.yml\nposh_pc_susp_athremotefxvgpudisablementcommand.yml\nposh_ps_syncappvpublishingserver_exe.yml\nposh_pm_syncappvpublishingserver_exe.yml\nposh_pm_susp_athremotefxvgpudisablementcommand.yml\nimage_load_tttracer_mod_load.yml\nregistry_set_wab_dllpath_reg_change.yml\nregistry_event_susp_atbroker_change.yml\nproc_creation_win_lolbin_susp_dxcap.yml\nproc_creation_win_lolbin_offlinescannershell.yml\nproc_creation_win_protocolhandler_susp_file.yml\nproc_creation_win_verclsid_runs_com.yml\nproc_creation_win_certoc_execution.yml\nproc_creation_win_susp_diskshadow.yml\nproc_creation_win_false_sysinternalsuite.yml\nproc_creation_win_susp_use_of_te_bin.yml\nproc_creation_win_sdiagnhost_susp_child.yml\nproc_creation_win_susp_print.yml\nproc_creation_win_susp_athremotefxvgpudisablementcommand.yml\nproc_creation_win_lolbin_susp_wsl.yml\nproc_creation_win_dotnet.yml\nproc_creation_win_lolbin_installutil_download.yml\nproc_creation_win_lolbin_mspub_download.yml\nproc_creation_win_infdefaultinstall.yml\nproc_creation_win_lolbin_device_credential_deployment.yml\nproc_creation_win_renamed_megasync.yml\nproc_creation_win_proxy_execution_wuauclt.yml\nproc_creation_win_lolbin_msohtmed_download.yml\nproc_creation_win_susp_mpiexec_lolbin.yml\nproc_creation_win_susp_zipexec.yml\nproc_creation_win_dsacls_password_spray.yml\nproc_creation_win_lolbin_pcwrun.yml\nproc_creation_win_possible_applocker_bypass.yml\nproc_creation_win_susp_dnx.yml\nproc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml\nproc_creation_win_susp_pressynkey_lolbin.yml\nproc_creation_win_lolbin_susp_mpcmdrun_download.yml\nproc_creation_win_dsacls_abuse_permissions.yml\nproc_creation_win_lolbin_msdt_answer_file.yml\nproc_creation_win_lolbin_cmdl32.yml\nproc_creation_win_susp_explorer.yml\nproc_creation_win_susp_devtoolslauncher.yml\nproc_creation_win_mavinject_proc_inj.yml\nproc_creation_win_susp_mofcomp_execution.yml\nproc_creation_win_expand_cabinet_files.yml\nproc_creation_win_lolbin_gpscript.yml\nproc_creation_win_susp_csi.yml\nproc_creation_win_lolbin_tttracer_mod_load.yml\nproc_creation_win_asr_bypass_via_appvlp_re.yml\nproc_creation_win_susp_cdb.yml\nproc_creation_win_lolbin_susp_atbroker.yml\nproc_creation_win_susp_use_of_vsjitdebugger_bin.yml\nproc_creation_win_lolbin_presentationhost.yml\nproc_creation_win_stordiag_execution.yml\nproc_creation_win_shell_spawn_susp_program.yml\nproc_creation_win_lolbin_register_app.yml\nproc_creation_win_lolbin_ie4uinit.yml\nproc_creation_win_cmd_redirection_susp_folder.yml\nproc_creation_win_lolbin_pcwrun_follina.yml\nproc_creation_win_lolbin_class_exec_xwizard.yml\nproc_creation_win_susp_devinit_lolbin.yml\nproc_creation_win_msdeploy.yml\nproc_creation_win_lolbin_rasautou_dll_execution.yml\nproc_creation_win_susp_bginfo.yml\nproc_creation_win_susp_curl_start_combo.yml\nproc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml\nproc_creation_win_workflow_compiler.yml\nproc_creation_win_msdt_susp_parent.yml\nproc_creation_win_susp_wuauclt.yml\nproc_creation_win_susp_registration_via_cscript.yml\nproc_creation_win_lolbin_presentationhost_download.yml\nproc_creation_win_lolbin_visualuiaverifynative.yml\nproc_creation_win_susp_openwith.yml\nproc_creation_win_lolbin_extexport.yml\nproc_creation_win_lolbin_scriptrunner.yml\nproc_creation_win_lolbin_findstr.yml\nproc_creation_win_susp_workfolders.yml\nproc_creation_win_susp_renamed_dctask64.yml\nproc_creation_win_susp_squirrel_lolbin.yml\nnet_connection_win_wuauclt_network_connection.yml\nnet_connection_win_susp_outbound_mobsync_connection.yml\nnet_connection_win_dllhost_net_connections.yml"
},
{
"techniqueID": "T1546.002",
"score": 4,
"comment": "file_event_win_writing_local_admin_share.yml\nfile_event_win_creation_scr_binary_file.yml\nregistry_event_modify_screensaver_binary_path.yml\nproc_creation_win_susp_screensaver_reg.yml"
},
{
"techniqueID": "T1548.002",
"score": 47,
"comment": "file_event_win_uac_bypass_wmp.yml\nfile_event_win_uac_bypass_ieinstal.yml\nfile_event_win_uac_bypass_dotnet_profiler.yml\nfile_event_win_uac_bypass_consent_comctl32.yml\nfile_event_win_uac_bypass_ntfs_reparse_point.yml\nfile_event_win_uac_bypass_winsat.yml\nfile_event_win_uac_bypass_idiagnostic_profile.yml\nfile_event_win_uac_bypass_msconfig_gui.yml\nproc_access_win_uac_bypass_wow64_logger.yml\nproc_access_win_load_undocumented_autoelevated_com_interface.yml\nimage_load_uac_bypass_via_dism.yml\nimage_load_uac_bypass_iscsicpl.yml\nregistry_set_bypass_uac_using_delegateexecute.yml\nregistry_set_uac_bypass_eventvwr.yml\nregistry_set_disable_uac_registry.yml\nregistry_set_uac_bypass_wmp.yml\nregistry_set_bypass_uac_using_silentcleanup_task.yml\nregistry_set_uac_bypass_winsat.yml\nregistry_set_uac_bypass_sdclt.yml\nregistry_event_bypass_via_wsreset.yml\nregistry_event_shell_open_keys_manipulation.yml\nproc_creation_win_uac_bypass_changepk_slui.yml\nproc_creation_win_uac_bypass_ieinstal.yml\nproc_creation_win_uac_bypass_msconfig_gui.yml\nproc_creation_win_uac_bypass_winsat.yml\nproc_creation_win_always_install_elevated_windows_installer.yml\nproc_creation_win_uac_bypass_consent_comctl32.yml\nproc_creation_win_susp_uac_bypass_trustedpath.yml\nproc_creation_win_uac_bypass_cleanmgr.yml\nproc_creation_win_uac_bypass_cmstp.yml\nproc_creation_win_uac_bypass_wsreset.yml\nproc_creation_win_uac_bypass_pkgmgr_dism.yml\nproc_creation_win_susp_explorer_nouaccheck.yml\nproc_creation_win_sdclt_child_process.yml\nproc_creation_win_tools_uac_bypass_computerdefaults.yml\nproc_creation_win_susp_powershell_empire_uac_bypass.yml\nproc_creation_win_sysmon_uac_bypass_eventvwr.yml\nproc_creation_win_uac_bypass_ntfs_reparse_point.yml\nproc_creation_win_hktl_uacme_uac_bypass.yml\nproc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml\nproc_creation_win_uac_bypass_idiagnostic_profile.yml\nproc_creation_win_uac_bypass_wsreset_integrity_level.yml\nproc_creation_win_cmstp_com_object_access.yml\nproc_creation_win_high_integrity_sdclt.yml\nproc_creation_win_uac_bypass_wmp.yml\nproc_creation_win_uac_bypass_dismhost.yml\nproc_creation_win_uac_bypass_fodhelper.yml"
},
{
"techniqueID": "T1547",
"score": 6,
"comment": "file_event_win_ripzip_attack.yml\nregistry_event_runkey_winekey.yml\nregistry_event_susp_atbroker_change.yml\nregistry_event_persistence_recycle_bin.yml\nproc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml\nproc_creation_win_lolbin_susp_grpconv.yml"
},
{
"techniqueID": "T1574.001",
"score": 12,
"comment": "file_event_win_detect_powerup_dllhijacking.yml\nfile_event_win_pingback_backdoor.yml\nfile_event_win_werfault_dll_hijacking.yml\nimage_load_svchost_dll_search_order_hijack.yml\nimage_load_susp_fax_dll.yml\nimage_load_side_load_web_browsers.yml\nimage_load_side_load_antivirus.yml\nimage_load_side_load_from_non_system_location.yml\nimage_load_side_load_office_dlls.yml\nimage_load_pingback_backdoor.yml\nimage_load_side_load_third_party.yml\nproc_creation_win_pingback_backdoor.yml"
},
{
"techniqueID": "T1546.013",
"score": 3,
"comment": "file_event_win_susp_powershell_profile_create.yml\nposh_ps_trigger_profiles.yml\nproc_creation_win_susp_powershell_download_iex.yml"
},
{
"techniqueID": "T1137.003",
"score": 1,
"comment": "file_event_win_outlook_newform.yml"
},
{
"techniqueID": "T1543.003",
"score": 37,
"comment": "file_event_win_moriya_rootkit.yml\nregistry_set_servicedll_hijack.yml\nregistry_set_cobaltstrike_service_installs.yml\nregistry_event_apt_chafer_mar18.yml\nproc_creation_win_dnscmd_discovery.yml\nproc_creation_win_sysinternals_psservice.yml\nproc_creation_win_susp_service_path_modification.yml\nproc_creation_win_susp_new_kernel_driver_via_sc.yml\nproc_creation_win_susp_new_service_creation.yml\nproc_creation_win_apt_chafer_mar18.yml\nproc_creation_win_susp_service_dacl_modification.yml\nproc_creation_win_new_service_creation.yml\nproc_creation_win_modif_of_services_for_via_commandline.yml\ndriver_load_vuln_drivers.yml\ndriver_load_vuln_gigabyte_driver.yml\ndriver_load_vuln_hevd_driver.yml\ndriver_load_vuln_avast_anti_rootkit_driver.yml\ndriver_load_vuln_hw_driver.yml\ndriver_load_vuln_winring0_driver.yml\ndriver_load_susp_temp_use.yml\nwin_apt_chafer_mar18_security.yml\nwin_security_mal_service_installs.yml\nwin_security_cobaltstrike_service_installs.yml\nwin_susp_proceshacker.yml\nwin_apt_carbonpaper_turla.yml\nwin_service_install_pdqdeploy_runner.yml\nwin_apt_stonedrill.yml\nwin_service_install_pdqdeploy.yml\nwin_susp_service_installation_folder_pattern.yml\nwin_susp_service_installation.yml\nwin_rare_service_installs.yml\nwin_apt_chafer_mar18_system.yml\nwin_susp_service_installation_script.yml\nwin_apt_turla_service_png.yml\nwin_susp_service_installation_folder.yml\nwin_moriya_rootkit.yml\nwin_cobaltstrike_service_installs.yml"
},
{
"techniqueID": "T1137",
"score": 6,
"comment": "file_event_win_outlook_c2_macro_creation.yml\nfile_event_win_word_template_creation.yml\nregistry_set_outlook_c2_registry_key.yml\nregistry_set_hidden_extention.yml\nregistry_set_outlook_security.yml\nregistry_set_change_security_zones.yml"
},
{
"techniqueID": "T1008",
"score": 2,
"comment": "file_event_win_outlook_c2_macro_creation.yml\nregistry_set_outlook_c2_registry_key.yml"
},
{
"techniqueID": "T1546",
"score": 8,
"comment": "file_event_win_outlook_c2_macro_creation.yml\nfile_event_win_susp_get_variable.yml\nposh_ps_susp_gwmi.yml\nregistry_set_comhijack_sdclt.yml\nregistry_set_outlook_c2_registry_key.yml\nproc_creation_win_apt_sourgrum.yml\nproc_creation_win_control_panel_item.yml\nproc_creation_win_apt_hafnium.yml"
},
{
"techniqueID": "T1027.004",
"score": 5,
"comment": "file_event_win_csharp_compile_artefact.yml\nproc_creation_win_susp_csc_folder.yml\nproc_creation_win_lolbin_visual_basic_compiler.yml\nproc_creation_win_susp_csc.yml\nproc_creation_win_susp_dnx.yml"
},
{
"techniqueID": "T1546.003",
"score": 12,
"comment": "file_event_win_wmi_persistence_script_event_consumer_write.yml\nsysmon_wmi_susp_encoded_scripts.yml\nsysmon_wmi_event_subscription.yml\nposh_ps_wmi_persistence.yml\nimage_load_scrcons_imageload_wmi_scripteventconsumer.yml\nimage_load_wmi_persistence_commandline_event_consumer.yml\nproc_creation_win_wmi_backdoor_exchange_transport_agent.yml\nproc_creation_win_susp_wmic_eventconsumer_create.yml\nproc_creation_win_wmi_persistence_script_event_consumer.yml\nwin_scrcons_remote_wmi_scripteventconsumer.yml\nwin_security_wmi_persistence.yml\nwin_wmi_persistence.yml"
},
{
"techniqueID": "T1218.011",
"score": 31,
"comment": "file_event_win_apt_unidentified_nov_18.yml\nfile_event_win_new_src_file.yml\nregistry_set_scr_file_executed_by_rundll32.yml\nsysmon_susp_powershell_rundll32.yml\nproc_creation_win_cobaltstrike_load_by_rundll32.yml\nproc_creation_win_crime_fireball.yml\nproc_creation_win_susp_trolleyexpress_procdump.yml\nproc_creation_win_apt_sofacy.yml\nproc_creation_win_susp_rundll32_activity.yml\nproc_creation_win_c3_load_by_rundll32.yml\nproc_creation_win_susp_rundll32_setupapi_installhinfsection.yml\nproc_creation_win_susp_rundll32_script_run.yml\nproc_creation_win_apt_evilnum_jul20.yml\nproc_creation_win_apt_zxshell.yml\nproc_creation_win_lolbin_rundll32_installscreensaver.yml\nproc_creation_win_susp_pcwutl.yml\nproc_creation_win_apt_equationgroup_dll_u_load.yml\nproc_creation_win_redmimicry_winnti_proc.yml\nproc_creation_win_susp_emotet_rundll32_execution.yml\nproc_creation_win_powershell_dll_execution.yml\nproc_creation_win_susp_target_location_shell32.yml\nproc_creation_win_bad_opsec_sacrificial_processes.yml\nproc_creation_win_rundll32_unc_path.yml\nproc_creation_win_susp_rundll32_sys.yml\nproc_creation_win_susp_control_dll_load.yml\nproc_creation_win_html_help_spawn.yml\nproc_creation_win_apt_unidentified_nov_18.yml\nproc_creation_win_malware_notpetya.yml\nproc_creation_win_susp_rundll32_spawn_explorer.yml\nproc_creation_win_susp_rundll32_by_ordinal.yml\nnet_connection_win_rundll32_net_connections.yml"
},
{
"techniqueID": "T1574.002",
"score": 31,
"comment": "file_event_win_iphlpapi_dll_sideloading.yml\nfile_event_win_dll_sideloading_space_path.yml\nimage_load_svchost_dll_search_order_hijack.yml\nimage_load_susp_uncommon_image_load.yml\nimage_load_susp_fax_dll.yml\nimage_load_side_load_web_browsers.yml\nimage_load_vmware_xfer_load_dll_from_nondefault_path.yml\nimage_load_uac_bypass_via_dism.yml\nimage_load_side_load_antivirus.yml\nimage_load_defender_load_dll_from_nondefault_path.yml\nimage_load_side_load_from_non_system_location.yml\nimage_load_side_load_office_dlls.yml\nimage_load_abusing_azure_browser_sso.yml\nimage_load_side_load_third_party.yml\nregistry_set_dhcp_calloutdll.yml\nregistry_event_dns_serverlevelplugindll.yml\nproc_creation_win_susp_gup.yml\nproc_creation_win_lolbin_dll_sideload_xwizard.yml\nproc_creation_win_dns_serverlevelplugindll.yml\nproc_creation_win_dll_sideload_vmware_xfer.yml\nproc_creation_win_task_folder_evasion.yml\nproc_creation_win_apt_winnti_mal_hk_jan20.yml\nproc_creation_win_plugx_susp_exe_locations.yml\nproc_creation_win_dll_sideload_defender.yml\nproc_creation_win_apt_winnti_pipemon.yml\nproc_creation_win_apt_emissarypanda_sep19.yml\nwin_susp_dns_config.yml\nwin_security_mitigations_defender_load_unsigned_dll.yml\nwin_security_mitigations_unsigned_dll_from_susp_location.yml\nwin_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml"
},
{
"techniqueID": "T1547.009",
"score": 4,
"comment": "file_event_win_creation_new_shim_database.yml\nfile_event_win_creation_unquoted_service_path.yml\nfile_event_win_susp_desktop_ini.yml\nwin_net_share_obj_susp_desktop_ini.yml"
},
{
"techniqueID": "T1036.007",
"score": 1,
"comment": "file_event_win_susp_double_extension.yml"
},
{
"techniqueID": "T1587.001",
"score": 9,
"comment": "file_event_win_susp_winword_startup.yml\nfile_event_win_susp_dropper.yml\nfile_event_win_mal_vhd_download.yml\nproc_creation_win_malware_conti.yml\nproc_creation_win_susp_psexex_paexec_escalate_system.yml\nproc_creation_win_apt_mustangpanda.yml\nproc_creation_win_malware_formbook.yml\nproc_creation_win_susp_psexex_paexec_flags.yml\nwin_exchange_proxylogon_oabvirtualdir.yml"
},
{
"techniqueID": "T1195",
"score": 1,
"comment": "file_event_win_mal_octopus_scanner.yml"
},
{
"techniqueID": "T1195.001",
"score": 1,
"comment": "file_event_win_mal_octopus_scanner.yml"
},
{
"techniqueID": "T1542.001",
"score": 2,
"comment": "file_event_win_wpbbin_persistence.yml\nproc_creation_win_wpbbin_persistence.yml"
},
{
"techniqueID": "T1564",
"score": 5,
"comment": "file_event_win_susp_colorcpl.yml\nregistry_event_crashdump_disabled.yml\nproc_creation_win_run_virtualbox.yml\nsysmon_config_modification_status.yml\nsysmon_config_modification_error.yml"
},
{
"techniqueID": "T1216",
"score": 16,
"comment": "file_event_win_winrm_awl_bypass.yml\nposh_ps_cl_invocation_lolscript.yml\nposh_ps_cl_mutexverifiers_lolscript_count.yml\nposh_ps_cl_mutexverifiers_lolscript.yml\nposh_ps_cl_invocation_lolscript_count.yml\nproc_creation_win_lolbin_cl_invocation.yml\nproc_creation_win_lolbin_sigverif.yml\nproc_creation_win_lolbin_cl_loadassembly.yml\nproc_creation_win_manage_bde_lolbas.yml\nproc_creation_win_susp_winrm_execution.yml\nproc_creation_win_susp_pester.yml\nproc_creation_win_susp_winrm_awl_bypass.yml\nproc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml\nproc_creation_win_lolbin_customshellhost.yml\nproc_creation_win_lolbin_utilityfunctions.yml\nproc_creation_win_lolbin_cl_mutexverifiers.yml"
},
{
"techniqueID": "T1137.006",
"score": 3,
"comment": "file_event_win_office_persistence.yml\nposh_ps_office_comobject_registerxll.yml\nregistry_set_office_vsto_persistence.yml"
},
{
"techniqueID": "T1482",
"score": 10,
"comment": "file_event_bloodhound_collection.yml\nposh_ps_azurehound_commands.yml\nproc_creation_win_susp_sharpview.yml\nproc_creation_win_trust_discovery.yml\nproc_creation_win_susp_adfind_usage.yml\nproc_creation_win_nltest_recon.yml\nproc_creation_win_hack_bloodhound.yml\nproc_creation_win_malware_trickbot_recon_activity.yml\nwin_lolbas_execution_of_nltest.yml\nwin_ldap_recon.yml"
},
{
"techniqueID": "T1069.002",
"score": 9,
"comment": "file_event_bloodhound_collection.yml\nposh_ps_susp_get_adgroup.yml\nposh_ps_azurehound_commands.yml\nproc_creation_win_susp_sharpview.yml\nproc_creation_win_susp_adfind_usage.yml\nproc_creation_win_hack_bloodhound.yml\nproc_creation_win_susp_net_execution.yml\nwin_susp_net_recon_activity.yml\nwin_ldap_recon.yml"
},
{
"techniqueID": "T1001.003",
"score": 3,
"comment": "file_event_win_susp_adsi_cache_usage.yml\nproc_creation_win_dnscat2_powershell_implementation.yml\nwin_susp_ldap_dataexchange.yml"
},
{
"techniqueID": "T1059.005",
"score": 18,
"comment": "file_event_win_mal_adwind.yml\nsysmon_wmi_susp_scripting.yml\nregistry_set_mal_adwind.yml\nsysmon_cactustorch.yml\nproc_creation_win_malware_script_dropper.yml\nproc_creation_win_malware_qbot.yml\nproc_creation_win_susp_csc.yml\nproc_creation_win_bypass_squiblytwo.yml\nproc_creation_win_apt_cloudhopper.yml\nproc_creation_win_susp_cscript_vbs.yml\nproc_creation_win_susp_script_execution.yml\nproc_creation_win_shell_spawn_susp_program.yml\nproc_creation_win_hack_koadic.yml\nproc_creation_win_mal_adwind.yml\nproc_creation_win_susp_bginfo.yml\nproc_creation_win_html_help_spawn.yml\nproc_creation_win_lolbin_cscript_gathernetworkinfo.yml\nwin_applocker_file_was_not_allowed_to_run.yml"
},
{
"techniqueID": "T1059.007",
"score": 13,
"comment": "file_event_win_mal_adwind.yml\nregistry_set_mal_adwind.yml\nsysmon_cactustorch.yml\nproc_creation_win_susp_mshta_execution.yml\nproc_creation_win_malware_script_dropper.yml\nproc_creation_win_susp_csc.yml\nproc_creation_win_bypass_squiblytwo.yml\nproc_creation_win_susp_script_execution.yml\nproc_creation_win_creative_cloud_node_abuse.yml\nproc_creation_win_hack_koadic.yml\nproc_creation_win_mal_adwind.yml\nproc_creation_win_html_help_spawn.yml\nwin_applocker_file_was_not_allowed_to_run.yml"
},
{
"techniqueID": "T1074.001",
"score": 4,
"comment": "posh_pc_susp_zip_compress.yml\nposh_ps_susp_zip_compress.yml\nposh_pm_susp_zip_compress.yml\nproc_creation_win_susp_zip_compress.yml"
},
{
"techniqueID": "T1484.001",
"score": 2,
"comment": "posh_ps_modify_group_policy_settings.yml\nproc_creation_modify_group_policy_settings.yml"
},
{
"techniqueID": "T1555.003",
"score": 1,
"comment": "posh_ps_access_to_browser_login_data.yml"
},
{
"techniqueID": "T1053.005",
"score": 30,
"comment": "posh_ps_cmdlet_scheduled_task.yml\nregistry_set_taskcache_entry.yml\nregistry_set_telemetry_persistence.yml\nregistry_event_apt_chafer_mar18.yml\nproc_creation_win_schtasks_powershell_windowsapps_execution.yml\nproc_creation_win_susp_schtasks_env_folder.yml\nproc_creation_win_susp_schtasks_change.yml\nproc_creation_win_susp_schtasks_user_temp.yml\nproc_creation_win_susp_schtask_creation_temp_folder.yml\nproc_creation_win_apt_wocao.yml\nproc_creation_win_susp_schtasks_pattern.yml\nproc_creation_win_apt_turla_comrat_may20.yml\nproc_creation_win_apt_chafer_mar18.yml\nproc_creation_win_schtasks_appdata_local_system.yml\nproc_creation_win_powersploit_empire_schtasks.yml\nproc_creation_win_apt_slingshot.yml\nproc_creation_win_susp_schtasks_parent.yml\nproc_creation_win_schtasks_system.yml\nproc_creation_win_susp_schtasks_folder_combos.yml\nproc_creation_win_win10_sched_task_0day.yml\nproc_creation_win_schtasks_reg_loader.yml\nproc_creation_win_apt_actinium_persistence.yml\nproc_creation_win_susp_schtask_creation.yml\nwin_rare_schtask_creation.yml\nwin_gpo_scheduledtasks.yml\nwin_scheduled_task_deletion.yml\nwin_apt_chafer_mar18_security.yml\nwin_rare_schtasks_creations.yml\nwin_apt_wocao.yml\nwin_apt_chafer_mar18_system.yml"
},
{
"techniqueID": "T1555",
"score": 4,
"comment": "posh_ps_enumerate_password_windows_credential_manager.yml\nposh_ps_dump_password_windows_credential_manager.yml\nproc_creation_win_susp_servu_process_pattern.yml\nproc_creation_win_hack_secutyxploded.yml"
},
{
"techniqueID": "T1560",
"score": 2,
"comment": "posh_ps_data_compressed.yml\nproc_creation_win_malware_conti_7zip.yml"
},
{
"techniqueID": "T1546.015",
"score": 7,
"comment": "posh_ps_susp_gettypefromclsid.yml\nregistry_set_persistence_appx_debugger.yml\nregistry_set_persistence_com_hijacking_susp_locations.yml\nregistry_set_persistence_search_order.yml\nregistry_add_persistence_key_linking.yml\nproc_creation_win_apt_sourgrum.yml\nproc_creation_win_rundll32_registered_com_objects.yml"
},
{
"techniqueID": "T1491.001",
"score": 1,
"comment": "posh_ps_susp_wallpaper.yml"
},
{
"techniqueID": "T1218.007",
"score": 7,
"comment": "posh_ps_win32_product_install_msi.yml\nproc_creation_win_msiexec_install_quiet.yml\nproc_creation_win_susp_msiexec_web_install.yml\nproc_creation_win_msiexec_dll.yml\nproc_creation_win_msiexec_execute_dll.yml\nproc_creation_win_msiexec_embedding.yml\nnet_connection_win_msiexec.yml"
},
{
"techniqueID": "T1114.001",
"score": 1,
"comment": "posh_ps_susp_mail_acces.yml"
},
{
"techniqueID": "T1518",
"score": 2,
"comment": "posh_ps_software_discovery.yml\nproc_creation_win_software_discovery.yml"
},
{
"techniqueID": "T1556.002",
"score": 2,
"comment": "posh_ps_copy_item_system32.yml\nproc_creation_win_credential_access_via_password_filter.yml"
},
{
"techniqueID": "T1553.005",
"score": 3,
"comment": "posh_ps_run_from_mount_diskimage.yml\nposh_ps_susp_mount_diskimage.yml\nposh_ps_susp_unblock_file.yml"
},
{
"techniqueID": "T1070",
"score": 11,
"comment": "posh_ps_etw_trace_evasion.yml\nposh_ps_clearing_windows_console_history.yml\nimage_load_susp_advapi32_dll.yml\nimage_load_susp_dll_load_system_process.yml\nregistry_delete_mstsc_history_cleared.yml\nproc_creation_win_susp_bcdedit.yml\nproc_creation_win_sysmon_driver_unload.yml\nproc_creation_win_etw_trace_evasion.yml\nproc_creation_win_shadow_copies_deletion.yml\nproc_creation_win_susp_fsutil_usage.yml\nwin_exchange_proxyshell_remove_mailbox_export.yml"
},
{
"techniqueID": "T1217",
"score": 3,
"comment": "posh_ps_get_childitem_bookmarks.yml\nproc_creation_win_susp_dir.yml\nproc_creation_win_susp_where_execution.yml"
},
{
"techniqueID": "T1069",
"score": 1,
"comment": "posh_ps_azurehound_commands.yml"
},
{
"techniqueID": "T1564.003",
"score": 2,
"comment": "posh_ps_susp_windowstyle.yml\nproc_creation_win_susp_covenant.yml"
},
{
"techniqueID": "T1564.006",
"score": 2,
"comment": "posh_ps_susp_hyper_v_condlet.yml\nproc_creation_win_run_virtualbox.yml"
},
{
"techniqueID": "T1615",
"score": 3,
"comment": "posh_ps_susp_get_gpo.yml\nproc_creation_win_sharpup.yml\nproc_creation_win_susp_gpresult.yml"
},
{
"techniqueID": "T1136.002",
"score": 2,
"comment": "posh_ps_directoryservices_accountmanagement.yml\nwin_susp_local_anon_logon_created.yml"
},
{
"techniqueID": "T1070.005",
"score": 3,
"comment": "posh_ps_susp_mounted_share_deletion.yml\nregistry_set_disable_administrative_share.yml\nproc_creation_win_susp_mounted_share_deletion.yml"
},
{
"techniqueID": "T1090",
"score": 5,
"comment": "posh_ps_susp_proxy_scripts.yml\nregistry_event_portproxy_registry_key.yml\nproc_creation_win_netsh_port_fwd.yml\nproc_creation_win_netsh_port_fwd_3389.yml\nwin_terminalservices_rdp_ngrok.yml"
},
{
"techniqueID": "T1574.012",
"score": 2,
"comment": "posh_ps_cor_profiler.yml\nregistry_set_enabling_cor_profiler_env_variables.yml"
},
{
"techniqueID": "T1564.004",
"score": 15,
"comment": "posh_ps_store_file_in_alternate_data_stream.yml\nposh_ps_ntfs_ads_access.yml\nproc_creation_win_lolbin_extrac32_ads.yml\nproc_creation_win_lolbin_printbrm.yml\nproc_creation_win_ntfs_short_name_use_cli.yml\nproc_creation_win_lolbin_diantz_ads.yml\nproc_creation_win_ntfs_short_name_path_use_image.yml\nproc_creation_win_redirect_to_stream.yml\nproc_creation_win_alternate_data_streams.yml\nproc_creation_win_ntfs_short_name_use_image.yml\nproc_creation_win_run_powershell_script_from_ads.yml\nproc_creation_win_ntfs_short_name_path_use_cli.yml\nproc_creation_win_lolbin_findstr.yml\nsysmon_regedit_export_to_ads.yml\nsysmon_ads_executable.yml"
},
{
"techniqueID": "T1202",
"score": 25,
"comment": "posh_ps_susp_follina_execution.yml\nimage_load_msdt_sdiageng.yml\nregistry_set_custom_file_open_handler_powershell_execution.yml\nproc_creation_win_susp_renamed_paexec.yml\nproc_creation_win_susp_rundll32_no_params.yml\nproc_creation_win_msdt_susp_cab_options.yml\nproc_creation_win_susp_runscripthelper.yml\nproc_creation_win_false_sysinternalsuite.yml\nproc_creation_win_indirect_cmd.yml\nproc_creation_win_lolbin_susp_wsl.yml\nproc_creation_win_susp_zipexec.yml\nproc_creation_win_msdt_diagcab.yml\nproc_creation_win_susp_findstr_lnk.yml\nproc_creation_win_susp_ftp.yml\nproc_creation_win_lolbin_cmdl32.yml\nproc_creation_win_msdt.yml\nproc_creation_win_susp_splwow64.yml\nproc_creation_win_susp_conhost.yml\nproc_creation_win_susp_outlook.yml\nproc_creation_win_lolbin_winword.yml\nproc_creation_win_susp_conhost_option.yml\nproc_creation_win_susp_service_dir.yml\nproc_creation_win_susp_bginfo.yml\nproc_creation_win_lolbin_bash.yml\nproc_creation_win_susp_renamed_dctask64.yml"
},
{
"techniqueID": "T1497.001",
"score": 1,
"comment": "posh_ps_detect_vm_env.yml"
},
{
"techniqueID": "T1110.001",
"score": 3,
"comment": "posh_ps_susp_networkcredential.yml\nproc_creation_win_hack_hydra.yml\nwin_susp_failed_guest_logon.yml"
},
{
"techniqueID": "T1003.006",
"score": 8,
"comment": "posh_ps_get_adreplaccount.yml\nproc_creation_win_mimikatz_command_line.yml\ndriver_load_mal_creddumper.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_security_mal_creddumper.yml\nwin_ad_replication_non_machine_account.yml\nwin_mal_creddumper.yml"
},
{
"techniqueID": "T1120",
"score": 2,
"comment": "posh_ps_susp_win32_pnpentity.yml\nproc_creation_win_fsutil_drive_enumeration.yml"
},
{
"techniqueID": "T1574.011",
"score": 6,
"comment": "posh_ps_get_acl_service.yml\nproc_creation_win_using_sc_to_hide_sevices.yml\nproc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml\nproc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml\nproc_creation_win_modif_of_services_for_via_commandline.yml\nproc_creation_win_reg_service_imagepath_change.yml"
},
{
"techniqueID": "T1055.001",
"score": 8,
"comment": "proc_access_win_in_memory_assembly_execution.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_createremotethread_loadlibrary.yml\nproc_creation_win_mavinject_proc_inj.yml\nproc_creation_win_apt_taidoor.yml\nproc_creation_win_susp_tracker_execution.yml\nproc_creation_win_susp_dctask64_proc_inject.yml\nproc_creation_win_susp_renamed_dctask64.yml"
},
{
"techniqueID": "T1055.002",
"score": 1,
"comment": "proc_access_win_in_memory_assembly_execution.yml"
},
{
"techniqueID": "T1218.003",
"score": 5,
"comment": "proc_access_win_cmstp_execution_by_access.yml\nregistry_event_cmstp_execution_by_registry.yml\nproc_creation_win_uac_bypass_cmstp.yml\nproc_creation_win_cmstp_execution_by_creation.yml\nproc_creation_win_cmstp_com_object_access.yml"
},
{
"techniqueID": "T1559.001",
"score": 4,
"comment": "proc_access_win_cmstp_execution_by_access.yml\ndns_query_win_regsvr32_network_activity.yml\nnet_connection_win_dllhost_net_connections.yml\nnet_connection_win_regsvr32_network_activity.yml"
},
{
"techniqueID": "T1562.002",
"score": 7,
"comment": "proc_access_win_invoke_phantom.yml\nregistry_set_disable_winevt_logging.yml\nproc_creation_win_sysmon_driver_unload.yml\nproc_creation_win_susp_nt_resource_kit_auditpol_usage.yml\nproc_creation_win_iis_http_logging.yml\nproc_creation_win_sus_auditpol_usage.yml\nwin_disable_event_logging.yml"
},
{
"techniqueID": "T1055.003",
"score": 2,
"comment": "proc_access_win_littlecorporal_generated_maldoc.yml\ncreate_remote_thread_win_susp_targets.yml"
},
{
"techniqueID": "T1071",
"score": 6,
"comment": "image_load_silenttrinity_stage_use.yml\nproc_creation_win_apt_gallium.yml\nproc_creation_win_apt_gallium_sha1.yml\nproc_creation_win_dnscat2_powershell_implementation.yml\nproc_creation_win_silenttrinity_stage_use.yml\nwin_apt_gallium.yml"
},
{
"techniqueID": "T1574",
"score": 7,
"comment": "image_load_spoolsv_dll_load.yml\nregistry_set_susp_printer_driver.yml\nregistry_set_dbgmanageddebugger_persistence.yml\nproc_creation_win_susp_regsvr32_no_dll.yml\nproc_creation_win_susp_register_cimprovider.yml\nproc_creation_win_exploit_cve_2019_1378.yml\nfile_delete_win_cve_2021_1675_printspooler_del.yml"
},
{
"techniqueID": "T1220",
"score": 3,
"comment": "image_load_wmic_remote_xsl_scripting_dlls.yml\nproc_creation_win_bypass_squiblytwo.yml\nproc_creation_win_xsl_script_processing.yml"
},
{
"techniqueID": "T1027.002",
"score": 1,
"comment": "image_load_susp_python_image_load.yml"
},
{
"techniqueID": "T1006",
"score": 1,
"comment": "sysmon_raw_disk_access_using_illegitimate_tools.yml"
},
{
"techniqueID": "T1112",
"score": 59,
"comment": "registry_set_cve_2020_1048_new_printer_port.yml\nregistry_set_disallowrun_execution.yml\nregistry_set_fax_change_service_user.yml\nregistry_set_etw_disabled.yml\nregistry_set_wdigest_enable_uselogoncredential.yml\nregistry_set_suppress_defender_notifications.yml\nregistry_set_abusing_windows_telemetry_for_persistence.yml\nregistry_set_office_security.yml\nregistry_set_disable_fonction_user.yml\nregistry_set_outlook_registry_todaypage.yml\nregistry_set_creation_service_uncommon_folder.yml\nregistry_set_ie_persistence.yml\nregistry_set_disable_security_center_notifications.yml\nregistry_set_terminal_server_tampering.yml\nregistry_set_mal_blue_mockingbird.yml\nregistry_set_dns_over_https_enabled.yml\nregistry_set_fax_dll_persistance.yml\nregistry_set_allow_rdp_remote_assistance_feature.yml\nregistry_set_creation_service_susp_folder.yml\nregistry_set_dhcp_calloutdll.yml\nregistry_set_set_nopolicies_user.yml\nregistry_set_blackbyte_ransomware.yml\nregistry_set_hide_fonction_user.yml\nregistry_set_outlook_registry_webview.yml\nregistry_add_mal_ursnif.yml\nregistry_add_mal_netwire.yml\nregistry_delete_mstsc_history_cleared.yml\nregistry_delete_removal_com_hijacking_registry_key.yml\nregistry_event_crashdump_disabled.yml\nregistry_event_mal_flowcloud.yml\nregistry_event_disable_security_events_logging_adding_reg_key_minint.yml\nregistry_event_apt_oceanlotus_registry.yml\nregistry_event_disable_wdigest_credential_guard.yml\nregistry_event_dns_serverlevelplugindll.yml\nregistry_event_net_ntlm_downgrade.yml\nregistry_event_runonce_persistence.yml\nregistry_event_redmimicry_winnti_reg.yml\nregistry_event_apt_chafer_mar18.yml\nregistry_event_mal_azorult.yml\nproc_creation_win_susp_vboxdrvinst.yml\nproc_creation_win_dns_serverlevelplugindll.yml\nproc_creation_win_regedit_import_keys_ads.yml\nproc_creation_win_non_priv_reg_or_ps.yml\nproc_creation_win_susp_runonce_execution.yml\nproc_creation_win_regini_ads.yml\nproc_creation_win_apt_chafer_mar18.yml\nproc_creation_win_reg_enable_rdp.yml\nproc_creation_win_mal_blue_mockingbird.yml\nproc_creation_win_regedit_import_keys.yml\nproc_creation_win_susp_shimcache_flush.yml\nproc_creation_win_reg_import_from_suspicious_paths.yml\nproc_creation_win_abusing_windows_telemetry_for_persistence.yml\nproc_creation_win_regini.yml\nproc_creation_win_susp_reg_add.yml\nwin_apt_chafer_mar18_security.yml\nwin_etw_modification.yml\nwin_sysmon_channel_reference_deletion.yml\nwin_net_ntlm_downgrade.yml\nwin_apt_chafer_mar18_system.yml"
},
{
"techniqueID": "T1588.002",
"score": 4,
"comment": "registry_set_susp_keyboard_layout_load.yml\nregistry_add_sysinternals_eula_accepted.yml\nproc_creation_win_susp_renamed_debugview.yml\nproc_creation_win_sysinternals_eula_accepted.yml"
},
{
"techniqueID": "T1546.012",
"score": 3,
"comment": "registry_set_susp_app_paths_persistence.yml\nregistry_set_silentprocessexit.yml\nregistry_set_globalflags_persistence.yml"
},
{
"techniqueID": "T1546.009",
"score": 2,
"comment": "registry_set_asep_reg_keys_modification_session_manager.yml\nregistry_event_new_dll_added_to_appcertdlls_registry_key.yml"
},
{
"techniqueID": "T1547.010",
"score": 3,
"comment": "registry_set_bypass_uac_using_eventviewer.yml\nregistry_set_change_rdp_port.yml\nregistry_set_add_port_monitor.yml"
},
{
"techniqueID": "T1221",
"score": 1,
"comment": "registry_set_cve_2022_30190_msdt_follina.yml"
},
{
"techniqueID": "T1547.003",
"score": 1,
"comment": "registry_set_timeproviders_dllname.yml"
},
{
"techniqueID": "T1133",
"score": 4,
"comment": "registry_set_chrome_extension.yml\nproc_creation_win_susp_add_user_remote_desktop.yml\nproc_creation_win_susp_screenconnect_access.yml\nwin_susp_failed_logon_source.yml"
},
{
"techniqueID": "T1546.011",
"score": 2,
"comment": "registry_set_shim_databases_persistence.yml\nproc_creation_win_sdbinst_shim_persistence.yml"
},
{
"techniqueID": "T1559.002",
"score": 1,
"comment": "registry_set_office_enable_dde.yml"
},
{
"techniqueID": "T1553.003",
"score": 1,
"comment": "registry_set_sip_persistence.yml"
},
{
"techniqueID": "T1037.001",
"score": 2,
"comment": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml\nproc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml"
},
{
"techniqueID": "T1546.010",
"score": 1,
"comment": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml"
},
{
"techniqueID": "T1137.002",
"score": 1,
"comment": "registry_event_office_test_regadd.yml"
},
{
"techniqueID": "T1546.008",
"score": 4,
"comment": "registry_event_stickykey_like_backdoor.yml\nproc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml\nproc_creation_win_install_reg_debugger_backdoor.yml\nproc_creation_win_stickykey_like_backdoor.yml"
},
{
"techniqueID": "T1547.008",
"score": 1,
"comment": "registry_event_susp_lsass_dll_load.yml"
},
{
"techniqueID": "T1125",
"score": 1,
"comment": "registry_event_susp_mic_cam_access.yml"
},
{
"techniqueID": "T1547.005",
"score": 1,
"comment": "registry_event_ssp_added_lsa_config.yml"
},
{
"techniqueID": "T1608",
"score": 1,
"comment": "registry_event_hybridconnectionmgr_svc_installation.yml"
},
{
"techniqueID": "T1546.001",
"score": 3,
"comment": "registry_event_shell_open_keys_manipulation.yml\nproc_creation_win_change_default_file_association.yml\nproc_creation_win_change_default_file_assoc_susp.yml"
},
{
"techniqueID": "T1003.007",
"score": 1,
"comment": "registry_event_silentprocessexit_lsass.yml"
},
{
"techniqueID": "T1555.005",
"score": 1,
"comment": "sysmon_password_dumper_keepass.yml"
},
{
"techniqueID": "T1127",
"score": 15,
"comment": "create_remote_thread_win_ttdinjec.yml\nproc_creation_win_lolbin_ttdinject.yml\nproc_creation_win_lolbin_aspnet_compiler.yml\nproc_creation_win_lolbin_ilasm.yml\nproc_creation_win_susp_use_of_sqlps_bin.yml\nproc_creation_win_lolbin_jsc.yml\nproc_creation_win_lolbin_wfc.yml\nproc_creation_win_lolbin_vsiisexelauncher.yml\nproc_creation_win_susp_cdb.yml\nproc_creation_win_creative_cloud_node_abuse.yml\nproc_creation_win_susp_use_of_sqltoolsps_bin.yml\nproc_creation_win_lolbin_remote.yml\nproc_creation_win_workflow_compiler.yml\nproc_creation_win_lolbin_mftrace.yml\nproc_creation_win_susp_use_of_csharp_console.yml"
},
{
"techniqueID": "T1055.012",
"score": 2,
"comment": "sysmon_cactustorch.yml\nsysmon_process_hollowing.yml"
},
{
"techniqueID": "T1218.005",
"score": 9,
"comment": "sysmon_cactustorch.yml\nproc_creation_win_mshta_spawn_shell.yml\nproc_creation_win_susp_mshta_execution.yml\nproc_creation_win_mshta_http.yml\nproc_creation_win_mshta_javascript.yml\nproc_creation_win_susp_csc.yml\nproc_creation_win_possible_applocker_bypass.yml\nproc_creation_win_lethalhta.yml\nproc_creation_win_apt_babyshark.yml"
},
{
"techniqueID": "T1218.008",
"score": 1,
"comment": "proc_creation_win_susp_odbcconf.yml"
},
{
"techniqueID": "T1134.002",
"score": 5,
"comment": "proc_creation_win_susp_child_process_as_system_.yml\nproc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml\ndriver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml\nwin_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml\nwin_meterpreter_or_cobaltstrike_getsystem_service_installation.yml"
},
{
"techniqueID": "T1555.004",
"score": 2,
"comment": "proc_creation_win_susp_vaultcmd.yml\nproc_creation_win_susp_rundll32_keymgr.yml"
},
{
"techniqueID": "T1563.002",
"score": 2,
"comment": "proc_creation_win_rdp_hijack_shadowing.yml\nproc_creation_win_susp_tscon_rdp_redirect.yml"
},
{
"techniqueID": "T1218.001",
"score": 3,
"comment": "proc_creation_win_hh_chm.yml\nproc_creation_win_rundll32_not_from_c_drive.yml\nproc_creation_win_html_help_spawn.yml"
},
{
"techniqueID": "T1218.010",
"score": 16,
"comment": "proc_creation_win_lolbins_by_office_applications.yml\nproc_creation_win_susp_regsvr32_spawn_explorer.yml\nproc_creation_win_apt_empiremonkey.yml\nproc_creation_win_office_applications_spawning_wmi_commandline.yml\nproc_creation_win_lolbins_with_wmiprvse_parent_process.yml\nproc_creation_win_office_from_proxy_executing_regsvr32_payload.yml\nproc_creation_win_susp_regsvr32_image.yml\nproc_creation_win_susp_regsvr32_http_pattern.yml\nproc_creation_win_susp_regsvr32_flags_anomaly.yml\nproc_creation_win_office_spawning_wmi_commandline.yml\nproc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml\nproc_creation_win_html_help_spawn.yml\nproc_creation_win_apt_bluemashroom.yml\nproc_creation_win_susp_regsvr32_anomalies.yml\ndns_query_win_regsvr32_network_activity.yml\nnet_connection_win_regsvr32_network_activity.yml"
},
{
"techniqueID": "T1542.003",
"score": 1,
"comment": "proc_creation_win_susp_bcdedit.yml"
},
{
"techniqueID": "T1569",
"score": 4,
"comment": "proc_creation_win_susp_psexec_eula.yml\nwin_exploit_cve_2021_1675_printspooler_operational.yml\nwin_exploit_cve_2021_1675_printspooler.yml\nwin_exploit_cve_2021_1675_printspooler_security.yml"
},
{
"techniqueID": "T1021",
"score": 1,
"comment": "proc_creation_win_susp_psexec_eula.yml"
},
{
"techniqueID": "T1552.006",
"score": 3,
"comment": "proc_creation_win_findstr_lsass.yml\nproc_creation_win_findstr_gpp_passwords.yml\nproc_creation_win_susp_sysvol_access.yml"
},
{
"techniqueID": "T1090.003",
"score": 2,
"comment": "proc_creation_win_tor_browser.yml\ndns_query_win_tor_onion.yml"
},
{
"techniqueID": "T1584.006",
"score": 1,
"comment": "proc_creation_win_mailboxexport_share.yml"
},
{
"techniqueID": "T1114",
"score": 2,
"comment": "proc_creation_win_powershell_snapins_hafnium.yml\nwin_alert_ruler.yml"
},
{
"techniqueID": "T1036",
"score": 25,
"comment": "proc_creation_win_susp_calc.yml\nproc_creation_win_sdiagnhost_susp_child.yml\nproc_creation_win_proc_dump_createdump.yml\nproc_creation_win_susp_procdump_lsass.yml\nproc_creation_win_proc_dump_susp_dumpminitool.yml\nproc_creation_win_procdump_evasion.yml\nproc_creation_win_proc_dump_rdrleakdiag.yml\nproc_creation_win_xordump.yml\nproc_creation_win_system_exe_anomaly.yml\nproc_creation_win_proc_dump_dumpminitool.yml\nproc_creation_win_susp_findstr_lnk.yml\nproc_creation_win_commandline_path_traversal_evasion.yml\nproc_creation_win_susp_taskmgr_localsystem.yml\nproc_creation_win_susp_taskmgr_parent.yml\nproc_creation_win_renamed_plink.yml\nproc_creation_win_susp_explorer_break_proctree.yml\nproc_creation_win_susp_run_locations.yml\nproc_creation_win_susp_codepage_switch.yml\nproc_creation_win_procdump.yml\nproc_creation_win_detecting_fake_instances_of_hxtsr.yml\nproc_creation_win_susp_execution_path.yml\nproc_creation_win_msdt_susp_parent.yml\nproc_creation_win_process_dump_rundll32_comsvcs.yml\nproc_creation_win_susp_renamed_dctask64.yml\nwin_new_or_renamed_user_account_with_dollar_sign.yml"
},
{
"techniqueID": "T1027.005",
"score": 2,
"comment": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml\nwin_susp_sdelete.yml"
},
{
"techniqueID": "T1550.003",
"score": 3,
"comment": "proc_creation_win_hack_rubeus.yml\nproc_creation_win_hack_krbrelayup.yml\nnet_connection_win_susp_outbound_kerberos_connection.yml"
},
{
"techniqueID": "T1135",
"score": 7,
"comment": "proc_creation_win_apt_turla_commands_medium.yml\nproc_creation_win_susp_sharpview.yml\nproc_creation_win_malware_dridex.yml\nproc_creation_win_advanced_port_scanner.yml\nproc_creation_win_advanced_ip_scanner.yml\nproc_creation_win_apt_turla_commands_critical.yml\nproc_creation_win_susp_net_execution.yml"
},
{
"techniqueID": "T1012",
"score": 10,
"comment": "proc_creation_win_regedit_export_critical_keys.yml\nproc_creation_win_apt_wocao.yml\nproc_creation_win_regedit_export_keys.yml\nproc_creation_win_apt_babyshark.yml\nproc_creation_win_query_registry.yml\nwin_syskey_registry_access.yml\nwin_aadhealth_svc_agent_regkey_access.yml\nwin_sam_registry_hive_handle_request.yml\nwin_aadhealth_mon_agent_regkey_access.yml\nwin_apt_wocao.yml"
},
{
"techniqueID": "T1570",
"score": 2,
"comment": "proc_creation_win_rundll32_without_parameters.yml\nwin_security_metasploit_or_impacket_smb_psexec_service_install.yml"
},
{
"techniqueID": "T1036.004",
"score": 2,
"comment": "proc_creation_win_apt_wocao.yml\nwin_apt_wocao.yml"
},
{
"techniqueID": "T1039",
"score": 2,
"comment": "proc_creation_win_susp_copy_lateral_movement.yml\nwin_susp_raccess_sensitive_fext.yml"
},
{
"techniqueID": "T1559",
"score": 1,
"comment": "proc_creation_win_malware_trickbot_wermgr.yml"
},
{
"techniqueID": "T1176",
"score": 1,
"comment": "proc_creation_win_chrome_load_extension.yml"
},
{
"techniqueID": "T1218.013",
"score": 1,
"comment": "proc_creation_win_creation_mavinject_dll.yml"
},
{
"techniqueID": "T1056.004",
"score": 1,
"comment": "proc_creation_win_creation_mavinject_dll.yml"
},
{
"techniqueID": "T1539",
"score": 1,
"comment": "proc_creation_win_sqlite_firefox_cookies.yml"
},
{
"techniqueID": "T1489",
"score": 4,
"comment": "proc_creation_win_susp_taskkill.yml\nproc_creation_win_susp_schtasks_disable.yml\nproc_creation_win_service_stop.yml\nwin_builtin_remove_application.yml"
},
{
"techniqueID": "T1222.001",
"score": 4,
"comment": "proc_creation_win_file_permission_modifications.yml\nproc_creation_win_susp_takeown.yml\nproc_creation_win_malware_wannacry.yml\nwin_ad_object_writedac_access.yml"
},
{
"techniqueID": "T1218.004",
"score": 1,
"comment": "proc_creation_win_possible_applocker_bypass.yml"
},
{
"techniqueID": "T1218.009",
"score": 1,
"comment": "proc_creation_win_possible_applocker_bypass.yml"
},
{
"techniqueID": "T1127.001",
"score": 2,
"comment": "proc_creation_win_possible_applocker_bypass.yml\nnet_connection_win_silenttrinity_stager_msbuild_activity.yml"
},
{
"techniqueID": "T1614.001",
"score": 1,
"comment": "proc_creation_win_susp_codepage_lookup.yml"
},
{
"techniqueID": "T1134.004",
"score": 1,
"comment": "proc_creation_win_selectmyparent.yml"
},
{
"techniqueID": "T1218.002",
"score": 1,
"comment": "proc_creation_win_control_panel_item.yml"
},
{
"techniqueID": "T1059.006",
"score": 2,
"comment": "proc_creation_win_susp_file_characteristics.yml\nwin_applocker_file_was_not_allowed_to_run.yml"
},
{
"techniqueID": "T1072",
"score": 2,
"comment": "proc_creation_win_susp_csi.yml\nproc_creation_win_susp_radmin.yml"
},
{
"techniqueID": "T1021.005",
"score": 1,
"comment": "proc_creation_win_apt_gamaredon_ultravnc.yml"
},
{
"techniqueID": "T1552.002",
"score": 3,
"comment": "proc_creation_win_enumeration_for_credentials_in_registry.yml\nproc_creation_win_enumeration_for_credentials_cli.yml\nwin_sam_registry_hive_handle_request.yml"
},
{
"techniqueID": "T1574.008",
"score": 1,
"comment": "proc_creation_win_using_settingsynchost_as_lolbin.yml"
},
{
"techniqueID": "T1070.001",
"score": 8,
"comment": "proc_creation_win_susp_disable_eventlog.yml\nproc_creation_win_malware_notpetya.yml\nproc_creation_win_susp_eventlog_clear.yml\nwin_event_log_cleared.yml\nwin_susp_eventlog_cleared.yml\nwin_system_susp_eventlog_cleared.yml\nwin_eventlog_cleared.yml\nwin_defender_history_delete.yml"
},
{
"techniqueID": "T1562.010",
"score": 1,
"comment": "proc_creation_win_reg_lsass_ppl.yml"
},
{
"techniqueID": "T1048.001",
"score": 1,
"comment": "proc_creation_win_dns_exfiltration_tools_execution.yml"
},
{
"techniqueID": "T1132.001",
"score": 1,
"comment": "proc_creation_win_dns_exfiltration_tools_execution.yml"
},
{
"techniqueID": "T1216.001",
"score": 2,
"comment": "proc_creation_win_lolbin_launch_vsdevshell.yml\nproc_creation_win_lolbin_pubprn.yml"
},
{
"techniqueID": "T1553",
"score": 1,
"comment": "proc_creation_win_susp_razorinstaller_explorer.yml"
},
{
"techniqueID": "T1546.007",
"score": 1,
"comment": "proc_creation_win_susp_netsh_dll_persistence.yml"
},
{
"techniqueID": "T1574.005",
"score": 1,
"comment": "proc_creation_win_sharpup.yml"
},
{
"techniqueID": "T1104",
"score": 1,
"comment": "proc_creation_win_susp_ps_downloadfile.yml"
},
{
"techniqueID": "T1007",
"score": 3,
"comment": "proc_creation_win_susp_net_execution.yml\nproc_creation_win_query_registry.yml\nproc_creation_win_susp_sc_query.yml"
},
{
"techniqueID": "T1211",
"score": 3,
"comment": "proc_creation_win_hiding_malware_in_fonts_folder.yml\nwin_susp_msmpeng_crash.yml\nwin_audit_cve.yml"
},
{
"techniqueID": "T1110.002",
"score": 1,
"comment": "proc_creation_win_hashcat.yml"
},
{
"techniqueID": "T1505.002",
"score": 3,
"comment": "proc_creation_win_win_exchange_transportagent.yml\nwin_exchange_transportagent.yml\nwin_exchange_transportagent_failed.yml"
},
{
"techniqueID": "T1185",
"score": 1,
"comment": "proc_creation_win_chrome_remote_debugging.yml"
},
{
"techniqueID": "T1599.001",
"score": 1,
"comment": "driver_load_windivert.yml"
},
{
"techniqueID": "T1543",
"score": 2,
"comment": "driver_load_vuln_dell_driver.yml\nwin_security_krbrelayup_service_installation.yml"
},
{
"techniqueID": "T1554",
"score": 3,
"comment": "win_hybridconnectionmgr_svc_running.yml\nwin_hybridconnectionmgr_svc_installation.yml\ndns_query_win_hybridconnectionmgr_servicebus.yml"
},
{
"techniqueID": "T1091",
"score": 1,
"comment": "win_external_device.yml"
},
{
"techniqueID": "T1200",
"score": 2,
"comment": "win_external_device.yml\nwin_usb_device_plugged.yml"
},
{
"techniqueID": "T1110.003",
"score": 8,
"comment": "win_susp_failed_remote_logons_single_source.yml\nwin_susp_failed_logons_single_source_kerberos.yml\nwin_susp_failed_logons_explicit_credentials.yml\nwin_susp_failed_logons_single_source_ntlm.yml\nwin_susp_failed_logons_single_process.yml\nwin_susp_failed_logons_single_source_ntlm2.yml\nwin_susp_failed_logons_single_source_kerberos2.yml\nwin_susp_failed_logons_single_source_kerberos3.yml"
},
{
"techniqueID": "T1010",
"score": 1,
"comment": "win_scm_database_handle_failure.yml"
},
{
"techniqueID": "T1553.002",
"score": 1,
"comment": "win_susp_sdelete.yml"
},
{
"techniqueID": "T1550.002",
"score": 5,
"comment": "win_pass_the_hash_2.yml\nwin_overpass_the_hash.yml\nwin_alert_ruler.yml\nwin_susp_ntlm_auth.yml\nwin_lsasrv_ntlmv1.yml"
},
{
"techniqueID": "T1134.005",
"score": 1,
"comment": "win_susp_add_sid_history.yml"
},
{
"techniqueID": "T1078.001",
"score": 1,
"comment": "win_admin_rdp_login.yml"
},
{
"techniqueID": "T1078.002",
"score": 1,
"comment": "win_admin_rdp_login.yml"
},
{
"techniqueID": "T1078.003",
"score": 1,
"comment": "win_admin_rdp_login.yml"
},
{
"techniqueID": "T1207",
"score": 1,
"comment": "win_possible_dc_shadow.yml"
},
{
"techniqueID": "T1090.001",
"score": 1,
"comment": "win_rdp_reverse_tunnel.yml"
},
{
"techniqueID": "T1090.002",
"score": 1,
"comment": "win_rdp_reverse_tunnel.yml"
},
{
"techniqueID": "T1499.001",
"score": 1,
"comment": "win_ntfs_vuln_exploit.yml"
},
{
"techniqueID": "T1567.001",
"score": 3,
"comment": "net_connection_win_mega_nz.yml\nnet_connection_win_binary_github_com.yml\nnet_connection_win_ngrok_io.yml"
},
{
"techniqueID": "T1102",
"score": 1,
"comment": "net_connection_win_dead_drop_resolvers.yml"
}
]
}
Reference in New Issue View Git Blame Copy Permalink