Type,Description,TechniqueIdCombined,Technique,"Data_Component","Data_Component_Description"
Detection,,"T1003.008","/etc/passwd and /etc/shadow","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1003.008","/etc/passwd and /etc/shadow","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1557.002","ARP Cache Poisoning","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1557.002","ARP Cache Poisoning","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1558.004","AS-REP Roasting","Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,T1548,"Abuse Elevation Control Mechanism","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,T1548,"Abuse Elevation Control Mechanism","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1548,"Abuse Elevation Control Mechanism","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1548,"Abuse Elevation Control Mechanism","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1548,"Abuse Elevation Control Mechanism","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1548,"Abuse Elevation Control Mechanism","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1548,"Abuse Elevation Control Mechanism","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1134,"Access Token Manipulation","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1134,"Access Token Manipulation","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,T1134,"Access Token Manipulation","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1134,"Access Token Manipulation","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,T1134,"Access Token Manipulation","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1134,"Access Token Manipulation","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.008","Accessibility Features","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.008","Accessibility Features","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.008","Accessibility Features","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.008","Accessibility Features","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1546.008","Accessibility Features","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1531,"Account Access Removal","User Account Deletion","Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)"
Detection,,T1531,"Account Access Removal","User Account Modification","Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)"
Detection,,T1531,"Account Access Removal","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1087,"Account Discovery","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,T1087,"Account Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1087,"Account Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1087,"Account Discovery","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1098,"Account Manipulation","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1098,"Account Manipulation","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1098,"Account Manipulation","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1098,"Account Manipulation","Group Modification","Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)"
Detection,,T1098,"Account Manipulation","User Account Modification","Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)"
Detection,,T1098,"Account Manipulation","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1583,"Acquire Infrastructure","Response Metadata","Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports"
Detection,,T1583,"Acquire Infrastructure","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1583,"Acquire Infrastructure","Active DNS","Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)"
Detection,,T1583,"Acquire Infrastructure","Passive DNS","Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)"
Detection,,T1583,"Acquire Infrastructure","Domain Registration","Information about domain name assignments and other domain metadata (ex: WHOIS)"
Detection,,T1595,"Active Scanning","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1595,"Active Scanning","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1547.014","Active Setup","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1547.014","Active Setup","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.014","Active Setup","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1547.014","Active Setup","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1098.003","Add Office 365 Global Administrator Role","User Account Modification","Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)"
Detection,,"T1137.006","Add-ins","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1137.006","Add-ins","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1137.006","Add-ins","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1137.006","Add-ins","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1137.006","Add-ins","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1137.006","Add-ins","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1098.001","Additional Cloud Credentials","User Account Modification","Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)"
Detection,,"T1098.001","Additional Cloud Credentials","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1557,"Adversary-in-the-Middle","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1557,"Adversary-in-the-Middle","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1557,"Adversary-in-the-Middle","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,T1557,"Adversary-in-the-Middle","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.009","AppCert DLLs","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.009","AppCert DLLs","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.009","AppCert DLLs","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.009","AppCert DLLs","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1546.010","AppInit DLLs","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.010","AppInit DLLs","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.010","AppInit DLLs","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.010","AppInit DLLs","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1059.002",AppleScript,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.002",AppleScript,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1059.002",AppleScript,"OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1550.001","Application Access Token","Web Credential Usage","An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)"
Detection,,"T1550.001","Application Access Token","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1499.003","Application Exhaustion Flood","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1499.003","Application Exhaustion Flood","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1499.003","Application Exhaustion Flood","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1499.003","Application Exhaustion Flood","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1071,"Application Layer Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1071,"Application Layer Protocol","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1546.011","Application Shimming","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.011","Application Shimming","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.011","Application Shimming","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.011","Application Shimming","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1546.011","Application Shimming","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1010,"Application Window Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1010,"Application Window Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1010,"Application Window Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1499.004","Application or System Exploitation","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1499.004","Application or System Exploitation","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1499.004","Application or System Exploitation","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1499.004","Application or System Exploitation","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1560,"Archive Collected Data","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1560,"Archive Collected Data","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1560,"Archive Collected Data","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1560,"Archive Collected Data","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1560.003","Archive via Custom Method","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1560.003","Archive via Custom Method","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1560.002","Archive via Library","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1560.002","Archive via Library","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1560.001","Archive via Utility","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1560.001","Archive via Utility","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1560.001","Archive via Utility","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1573.002","Asymmetric Cryptography","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1055.004","Asynchronous Procedure Call","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.004","Asynchronous Procedure Call","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.004","Asynchronous Procedure Call","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1053.001","At (Linux)","Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,"T1053.001","At (Linux)","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1053.001","At (Linux)","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1053.002","At (Windows)","Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,"T1053.002","At (Windows)","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1053.002","At (Windows)","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1053.002","At (Windows)","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1123,"Audio Capture","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1123,"Audio Capture","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.002","Authentication Package","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.002","Authentication Package","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.002","Authentication Package","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1119,"Automated Collection","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1119,"Automated Collection","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1119,"Automated Collection","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1020,"Automated Exfiltration","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1020,"Automated Exfiltration","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1020,"Automated Exfiltration","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1020,"Automated Exfiltration","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1020,"Automated Exfiltration","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1020,"Automated Exfiltration","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1197,"BITS Jobs","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1197,"BITS Jobs","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1197,"BITS Jobs","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1197,"BITS Jobs","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1552.003","Bash History","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1552.003","Bash History","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1102.002","Bidirectional Communication","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1102.002","Bidirectional Communication","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1102.002","Bidirectional Communication","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1027.001","Binary Padding","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1547,"Boot or Logon Autostart Execution","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1547,"Boot or Logon Autostart Execution","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1547,"Boot or Logon Autostart Execution","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1547,"Boot or Logon Autostart Execution","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1547,"Boot or Logon Autostart Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1547,"Boot or Logon Autostart Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1547,"Boot or Logon Autostart Execution","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1547,"Boot or Logon Autostart Execution","Kernel Module Load","An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls"
Detection,,T1547,"Boot or Logon Autostart Execution","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,T1547,"Boot or Logon Autostart Execution","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1037,"Boot or Logon Initialization Scripts","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1037,"Boot or Logon Initialization Scripts","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1037,"Boot or Logon Initialization Scripts","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1037,"Boot or Logon Initialization Scripts","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1037,"Boot or Logon Initialization Scripts","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1037,"Boot or Logon Initialization Scripts","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1542.003",Bootkit,"Drive Modification","Changes made to a drive letter or mount point of a data storage device"
Detection,,T1217,"Browser Bookmark Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1217,"Browser Bookmark Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1217,"Browser Bookmark Discovery","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1176,"Browser Extensions","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1176,"Browser Extensions","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1176,"Browser Extensions","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1176,"Browser Extensions","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1176,"Browser Extensions","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1185,"Browser Session Hijacking","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,T1185,"Browser Session Hijacking","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,T1185,"Browser Session Hijacking","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1110,"Brute Force","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1110,"Brute Force","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1110,"Brute Force","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1612,"Build Image on Host","Image Creation","Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)"
Detection,,T1612,"Build Image on Host","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1612,"Build Image on Host","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1612,"Build Image on Host","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1548.002","Bypass User Account Control","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1548.002","Bypass User Account Control","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1548.002","Bypass User Account Control","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1548.002","Bypass User Account Control","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.003",CMSTP,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.003",CMSTP,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.003",CMSTP,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1574.012","COR_PROFILER","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1574.012","COR_PROFILER","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.012","COR_PROFILER","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1574.012","COR_PROFILER","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1003.005","Cached Domain Credentials","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.001","Change Default File Association","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.001","Change Default File Association","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.001","Change Default File Association","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1070.003","Clear Command History","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1070.003","Clear Command History","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1070.003","Clear Command History","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,"T1070.002","Clear Linux or Mac System Logs","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,"T1070.002","Clear Linux or Mac System Logs","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1070.002","Clear Linux or Mac System Logs","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1070.001","Clear Windows Event Logs","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1070.001","Clear Windows Event Logs","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1592.004","Client Configurations","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1115,"Clipboard Data","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1115,"Clipboard Data","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1136.003","Cloud Account","User Account Creation","Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)"
Detection,,"T1087.004","Cloud Account","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,"T1087.004","Cloud Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1078.004","Cloud Accounts","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,"T1078.004","Cloud Accounts","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1078.004","Cloud Accounts","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1069.003","Cloud Groups","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1069.003","Cloud Groups","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1069.003","Cloud Groups","Group Enumeration","An extracted list of available groups and/or their associated settings (ex: AWS list-groups)"
Detection,,"T1069.003","Cloud Groups","Group Metadata","Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group"
Detection,,"T1069.003","Cloud Groups","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1580,"Cloud Infrastructure Discovery","Instance Metadata","Contextual data about an instance and activity around it such as name, type, or status"
Detection,,T1580,"Cloud Infrastructure Discovery","Instance Enumeration","An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)"
Detection,,T1580,"Cloud Infrastructure Discovery","Snapshot Metadata","Contextual data about a snapshot, which may include information such as ID, type, and status"
Detection,,T1580,"Cloud Infrastructure Discovery","Snapshot Enumeration","An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)"
Detection,,T1580,"Cloud Infrastructure Discovery","Cloud Storage Metadata","Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner"
Detection,,T1580,"Cloud Infrastructure Discovery","Cloud Storage Enumeration","An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)"
Detection,,T1580,"Cloud Infrastructure Discovery","Volume Metadata","Contextual data about a cloud volume and activity around it, such as id, type, state, and size"
Detection,,T1580,"Cloud Infrastructure Discovery","Volume Enumeration","An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)"
Detection,,"T1552.005","Cloud Instance Metadata API","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1538,"Cloud Service Dashboard","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1538,"Cloud Service Dashboard","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1526,"Cloud Service Discovery","Cloud Service Metadata","Contextual data about a cloud service and activity around it such as name, type, or purpose/function"
Detection,,T1526,"Cloud Service Discovery","Cloud Service Enumeration","An extracted list of cloud services (ex: AWS ECS ListServices)"
Detection,,T1619,"Cloud Storage Object Discovery","Cloud Storage Enumeration","An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)"
Detection,,T1619,"Cloud Storage Object Discovery","Cloud Storage Access","Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)"
Detection,,"T1213.003","Code Repositories","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1213.003","Code Repositories","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1553.002","Code Signing","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1587.002","Code Signing Certificates","Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,"T1588.003","Code Signing Certificates","Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,"T1553.006","Code Signing Policy Modification","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1553.006","Code Signing Policy Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1553.006","Code Signing Policy Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1059,"Command and Scripting Interpreter","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1059,"Command and Scripting Interpreter","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1059,"Command and Scripting Interpreter","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1059,"Command and Scripting Interpreter","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1092,"Communication Through Removable Media","Drive Creation","Initial construction of a drive letter or mount point to a data storage device"
Detection,,T1092,"Communication Through Removable Media","Drive Access","Opening of a data storage device with an assigned drive letter or mount point"
Detection,,"T1027.004","Compile After Delivery","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1027.004","Compile After Delivery","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1027.004","Compile After Delivery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1027.004","Compile After Delivery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.001","Compiled HTML File","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.001","Compiled HTML File","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1218.001","Compiled HTML File","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1542.002","Component Firmware","Driver Metadata","Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking"
Detection,,"T1542.002","Component Firmware","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,"T1542.002","Component Firmware","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1559.001","Component Object Model","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1559.001","Component Object Model","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1559.001","Component Object Model","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1546.015","Component Object Model Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.015","Component Object Model Hijacking","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.015","Component Object Model Hijacking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.015","Component Object Model Hijacking","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1586,"Compromise Accounts","Social Media","Established, compromised, or otherwise acquired social media personas"
Detection,,T1586,"Compromise Accounts","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1554,"Compromise Client Software Binary","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1554,"Compromise Client Software Binary","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1554,"Compromise Client Software Binary","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,T1554,"Compromise Client Software Binary","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1584,"Compromise Infrastructure","Response Metadata","Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports"
Detection,,T1584,"Compromise Infrastructure","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1584,"Compromise Infrastructure","Active DNS","Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)"
Detection,,T1584,"Compromise Infrastructure","Passive DNS","Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)"
Detection,,T1584,"Compromise Infrastructure","Domain Registration","Information about domain name assignments and other domain metadata (ex: WHOIS)"
Detection,,"T1213.001",Confluence,"Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1213.001",Confluence,"Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1552.007","Container API","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1552.007","Container API","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1552.007","Container API","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1609,"Container Administration Command","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1053.007","Container Orchestration Job","Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,"T1053.007","Container Orchestration Job","Container Creation","Initial construction of a new container (ex: docker create <container_name>)"
Detection,,"T1053.007","Container Orchestration Job","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1613,"Container and Resource Discovery","Cluster Metadata","Contextual data about a cluster and activity around it such as name, namespace, age, or status"
Detection,,T1613,"Container and Resource Discovery","Container Enumeration","An extracted list of containers (ex: docker ps)"
Detection,,T1613,"Container and Resource Discovery","Container Metadata","Contextual data about a container and activity around it such as name, ID, image, or status"
Detection,,T1613,"Container and Resource Discovery","Pod Enumeration","An extracted list of pods within a cluster (ex: kubectl get pods)"
Detection,,T1613,"Container and Resource Discovery","Pod Metadata","Contextual data about a pod and activity around it such as name, ID, namespace, or status"
Detection,,T1613,"Container and Resource Discovery","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1218.002","Control Panel","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.002","Control Panel","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1218.002","Control Panel","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1218.002","Control Panel","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1218.002","Control Panel","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.002","Control Panel","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1136,"Create Account","User Account Creation","Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)"
Detection,,T1136,"Create Account","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1136,"Create Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1578.002","Create Cloud Instance","Instance Creation","Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)"
Detection,,"T1134.002","Create Process with Token","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1134.002","Create Process with Token","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1578.001","Create Snapshot","Snapshot Creation","Initial construction of a new snapshot (ex: AWS create-snapshot)"
Detection,,T1543,"Create or Modify System Process","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,T1543,"Create or Modify System Process","Service Modification","Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)"
Detection,,T1543,"Create or Modify System Process","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1543,"Create or Modify System Process","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1543,"Create or Modify System Process","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1543,"Create or Modify System Process","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1543,"Create or Modify System Process","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1543,"Create or Modify System Process","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1543,"Create or Modify System Process","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1056.004","Credential API Hooking","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1056.004","Credential API Hooking","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1110.004","Credential Stuffing","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1110.004","Credential Stuffing","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1552.001","Credentials In Files","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1552.001","Credentials In Files","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1555,"Credentials from Password Stores","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1555,"Credentials from Password Stores","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1555,"Credentials from Password Stores","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1555,"Credentials from Password Stores","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1555,"Credentials from Password Stores","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1555.003","Credentials from Web Browsers","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1555.003","Credentials from Web Browsers","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1555.003","Credentials from Web Browsers","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1555.003","Credentials from Web Browsers","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1552.002","Credentials in Registry","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1552.002","Credentials in Registry","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1552.002","Credentials in Registry","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,"T1053.003",Cron,"Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,"T1053.003",Cron,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1053.003",Cron,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1053.003",Cron,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1003.006",DCSync,"Active Directory Object Access","Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)"
Detection,,"T1003.006",DCSync,"Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1003.006",DCSync,"Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1574.001","DLL Search Order Hijacking","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.001","DLL Search Order Hijacking","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.001","DLL Search Order Hijacking","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1574.002","DLL Side-Loading","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.002","DLL Side-Loading","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.002","DLL Side-Loading","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1574.002","DLL Side-Loading","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1071.004",DNS,"Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1071.004",DNS,"Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1568.003","DNS Calculation","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1584.002","DNS Server","Active DNS","Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)"
Detection,,"T1584.002","DNS Server","Passive DNS","Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)"
Detection,,T1485,"Data Destruction","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1485,"Data Destruction","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1485,"Data Destruction","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1485,"Data Destruction","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,T1485,"Data Destruction","Image Deletion","Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)"
Detection,,T1485,"Data Destruction","Instance Deletion","Removal of an instance (ex: instance.delete within GCP Audit Logs)"
Detection,,T1485,"Data Destruction","Snapshot Deletion","Removal of a snapshot (ex: AWS delete-snapshot)"
Detection,,T1485,"Data Destruction","Cloud Storage Deletion","Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)"
Detection,,T1485,"Data Destruction","Volume Deletion","Removal of a a cloud volume (ex: AWS delete-volume)"
Detection,,T1132,"Data Encoding","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1486,"Data Encrypted for Impact","Cloud Storage Metadata","Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner"
Detection,,T1486,"Data Encrypted for Impact","Cloud Storage Modification","Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)"
Detection,,T1486,"Data Encrypted for Impact","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1486,"Data Encrypted for Impact","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1486,"Data Encrypted for Impact","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1486,"Data Encrypted for Impact","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1565,"Data Manipulation","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1565,"Data Manipulation","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1565,"Data Manipulation","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1565,"Data Manipulation","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,T1565,"Data Manipulation","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1565,"Data Manipulation","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1565,"Data Manipulation","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1001,"Data Obfuscation","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1074,"Data Staged","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1074,"Data Staged","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1074,"Data Staged","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1030,"Data Transfer Size Limits","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1030,"Data Transfer Size Limits","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1530,"Data from Cloud Storage Object","Cloud Storage Access","Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)"
Detection,,T1602,"Data from Configuration Repository","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1602,"Data from Configuration Repository","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1213,"Data from Information Repositories","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1213,"Data from Information Repositories","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1005,"Data from Local System","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1005,"Data from Local System","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1005,"Data from Local System","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1039,"Data from Network Shared Drive","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1039,"Data from Network Shared Drive","Network Share Access","Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)"
Detection,,T1039,"Data from Network Shared Drive","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1025,"Data from Removable Media","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1025,"Data from Removable Media","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1102.001","Dead Drop Resolver","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1102.001","Dead Drop Resolver","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1491,Defacement,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1491,Defacement,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1491,Defacement,"Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1491,Defacement,"Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1078.001","Default Accounts","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1078.001","Default Accounts","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1578.003","Delete Cloud Instance","Instance Deletion","Removal of an instance (ex: instance.delete within GCP Audit Logs)"
Detection,,T1140,"Deobfuscate/Decode Files or Information","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1140,"Deobfuscate/Decode Files or Information","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1140,"Deobfuscate/Decode Files or Information","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1610,"Deploy Container","Container Creation","Initial construction of a new container (ex: docker create <container_name>)"
Detection,,T1610,"Deploy Container","Container Start","Activation or invocation of a container (ex: docker start or docker restart)"
Detection,,T1610,"Deploy Container","Pod Creation","Initial construction of a new pod (ex: kubectl apply|run)"
Detection,,T1610,"Deploy Container","Pod Modification","Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)"
Detection,,T1610,"Deploy Container","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1587,"Develop Capabilities","Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,T1587,"Develop Capabilities","Malware Content","Code, strings, and other signatures that compromise a malicious payload"
Detection,,T1587,"Develop Capabilities","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1587.003","Digital Certificates","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1588.004","Digital Certificates","Certificate Registration","Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency)"
Detection,,"T1588.004","Digital Certificates","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1498.001","Direct Network Flood","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1498.001","Direct Network Flood","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1006,"Direct Volume Access","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1006,"Direct Volume Access","Drive Access","Opening of a data storage device with an assigned drive letter or mount point"
Detection,,"T1562.008","Disable Cloud Logs","Cloud Service Modification","Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)"
Detection,,"T1562.008","Disable Cloud Logs","Cloud Service Disable","Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)"
Detection,,"T1600.002","Disable Crypto Hardware","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1562.002","Disable Windows Event Logging","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1562.002","Disable Windows Event Logging","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1562.002","Disable Windows Event Logging","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1562.002","Disable Windows Event Logging","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1562.002","Disable Windows Event Logging","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1562.002","Disable Windows Event Logging","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1562.007","Disable or Modify Cloud Firewall","Firewall Rule Modification","Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)"
Detection,,"T1562.007","Disable or Modify Cloud Firewall","Firewall Disable","Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)"
Detection,,"T1562.004","Disable or Modify System Firewall","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1562.004","Disable or Modify System Firewall","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1562.004","Disable or Modify System Firewall","Firewall Disable","Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)"
Detection,,"T1562.004","Disable or Modify System Firewall","Firewall Rule Modification","Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)"
Detection,,"T1562.001","Disable or Modify Tools","Process Termination","Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)"
Detection,,"T1562.001","Disable or Modify Tools","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1562.001","Disable or Modify Tools","Windows Registry Key Deletion","Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)"
Detection,,"T1562.001","Disable or Modify Tools","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1562.001","Disable or Modify Tools","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,"T1562.001","Disable or Modify Tools","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1561.001","Disk Content Wipe","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1561.001","Disk Content Wipe","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1561.001","Disk Content Wipe","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,"T1561.001","Disk Content Wipe","Drive Access","Opening of a data storage device with an assigned drive letter or mount point"
Detection,,"T1561.001","Disk Content Wipe","Drive Modification","Changes made to a drive letter or mount point of a data storage device"
Detection,,"T1561.002","Disk Structure Wipe","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1561.002","Disk Structure Wipe","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1561.002","Disk Structure Wipe","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,"T1561.002","Disk Structure Wipe","Drive Access","Opening of a data storage device with an assigned drive letter or mount point"
Detection,,"T1561.002","Disk Structure Wipe","Drive Modification","Changes made to a drive letter or mount point of a data storage device"
Detection,,T1561,"Disk Wipe","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1561,"Disk Wipe","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1561,"Disk Wipe","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,T1561,"Disk Wipe","Drive Access","Opening of a data storage device with an assigned drive letter or mount point"
Detection,,T1561,"Disk Wipe","Drive Modification","Changes made to a drive letter or mount point of a data storage device"
Detection,,"T1021.003","Distributed Component Object Model","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1021.003","Distributed Component Object Model","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1021.003","Distributed Component Object Model","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1136.002","Domain Account","User Account Creation","Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)"
Detection,,"T1136.002","Domain Account","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1136.002","Domain Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1087.002","Domain Account","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1087.002","Domain Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1078.002","Domain Accounts","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,"T1078.002","Domain Accounts","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1078.002","Domain Accounts","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1556.001","Domain Controller Authentication","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1556.001","Domain Controller Authentication","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1556.001","Domain Controller Authentication","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1556.001","Domain Controller Authentication","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1090.004","Domain Fronting","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1568.002","Domain Generation Algorithms","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1568.002","Domain Generation Algorithms","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1069.002","Domain Groups","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1069.002","Domain Groups","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1484,"Domain Policy Modification","Active Directory Object Creation","Initial construction of a new active directory object (ex: Windows EID 5137)"
Detection,,T1484,"Domain Policy Modification","Active Directory Object Deletion","Removal of an active directory object (ex: Windows EID 5141)"
Detection,,T1484,"Domain Policy Modification","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1484,"Domain Policy Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1482,"Domain Trust Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1482,"Domain Trust Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1482,"Domain Trust Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1482,"Domain Trust Discovery","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1484.002","Domain Trust Modification","Active Directory Object Creation","Initial construction of a new active directory object (ex: Windows EID 5137)"
Detection,,"T1484.002","Domain Trust Modification","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,"T1484.002","Domain Trust Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1583.001",Domains,"Active DNS","Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)"
Detection,,"T1583.001",Domains,"Passive DNS","Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)"
Detection,,"T1583.001",Domains,"Domain Registration","Information about domain name assignments and other domain metadata (ex: WHOIS)"
Detection,,"T1584.001",Domains,"Active DNS","Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)"
Detection,,"T1584.001",Domains,"Passive DNS","Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)"
Detection,,"T1584.001",Domains,"Domain Registration","Information about domain name assignments and other domain metadata (ex: WHOIS)"
Detection,,"T1036.007","Double File Extension","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1036.007","Double File Extension","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1562.010","Downgrade Attack","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1562.010","Downgrade Attack","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1562.010","Downgrade Attack","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1601.002","Downgrade System Image","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1189,"Drive-by Compromise","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1189,"Drive-by Compromise","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1189,"Drive-by Compromise","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1189,"Drive-by Compromise","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1189,"Drive-by Compromise","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1608.004","Drive-by Target","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1574.004","Dylib Hijacking","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.004","Dylib Hijacking","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.004","Dylib Hijacking","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1559.002","Dynamic Data Exchange","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1559.002","Dynamic Data Exchange","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1559.002","Dynamic Data Exchange","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1574.006","Dynamic Linker Hijacking","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.006","Dynamic Linker Hijacking","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.006","Dynamic Linker Hijacking","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1574.006","Dynamic Linker Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.006","Dynamic Linker Hijacking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1568,"Dynamic Resolution","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1568,"Dynamic Resolution","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1568,"Dynamic Resolution","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1055.001","Dynamic-link Library Injection","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.001","Dynamic-link Library Injection","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1055.001","Dynamic-link Library Injection","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.001","Dynamic-link Library Injection","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1548.004","Elevated Execution with Prompt","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1548.004","Elevated Execution with Prompt","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1087.003","Email Account","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,"T1087.003","Email Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1114,"Email Collection","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1114,"Email Collection","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1114,"Email Collection","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1114,"Email Collection","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1114,"Email Collection","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1114.003","Email Forwarding Rule","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1564.008","Email Hiding Rules","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1564.008","Email Hiding Rules","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1564.008","Email Hiding Rules","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1546.014",Emond,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.014",Emond,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.014",Emond,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1546.014",Emond,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1573,"Encrypted Channel","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1499,"Endpoint Denial of Service","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,T1499,"Endpoint Denial of Service","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1499,"Endpoint Denial of Service","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1499,"Endpoint Denial of Service","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1480.001","Environmental Keying","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1480.001","Environmental Keying","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1611,"Escape to Host","Container Creation","Initial construction of a new container (ex: docker create <container_name>)"
Detection,,T1611,"Escape to Host","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1611,"Escape to Host","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1585,"Establish Accounts","Social Media","Established, compromised, or otherwise acquired social media personas"
Detection,,T1585,"Establish Accounts","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1546,"Event Triggered Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1546,"Event Triggered Execution","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1546,"Event Triggered Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1546,"Event Triggered Execution","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1546,"Event Triggered Execution","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1546,"Event Triggered Execution","WMI Creation","Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)"
Detection,,T1546,"Event Triggered Execution","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1546,"Event Triggered Execution","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1098.002","Exchange Email Delegate Permissions","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1098.002","Exchange Email Delegate Permissions","Group Modification","Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)"
Detection,,"T1098.002","Exchange Email Delegate Permissions","User Account Modification","Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)"
Detection,,"T1574.005","Executable Installer File Permissions Weakness","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.005","Executable Installer File Permissions Weakness","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.005","Executable Installer File Permissions Weakness","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1574.005","Executable Installer File Permissions Weakness","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.005","Executable Installer File Permissions Weakness","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1480,"Execution Guardrails","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1480,"Execution Guardrails","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1048,"Exfiltration Over Alternative Protocol","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1048,"Exfiltration Over Alternative Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1048,"Exfiltration Over Alternative Protocol","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1048,"Exfiltration Over Alternative Protocol","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1048,"Exfiltration Over Alternative Protocol","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1048.002","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1048.002","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1048.002","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1048.002","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1048.002","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1011.001","Exfiltration Over Bluetooth","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1011.001","Exfiltration Over Bluetooth","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1011.001","Exfiltration Over Bluetooth","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1011.001","Exfiltration Over Bluetooth","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1011.001","Exfiltration Over Bluetooth","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1041,"Exfiltration Over C2 Channel","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1041,"Exfiltration Over C2 Channel","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1041,"Exfiltration Over C2 Channel","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1041,"Exfiltration Over C2 Channel","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1041,"Exfiltration Over C2 Channel","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1011,"Exfiltration Over Other Network Medium","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1011,"Exfiltration Over Other Network Medium","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1011,"Exfiltration Over Other Network Medium","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1011,"Exfiltration Over Other Network Medium","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1011,"Exfiltration Over Other Network Medium","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1052,"Exfiltration Over Physical Medium","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1052,"Exfiltration Over Physical Medium","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1052,"Exfiltration Over Physical Medium","Drive Creation","Initial construction of a drive letter or mount point to a data storage device"
Detection,,T1052,"Exfiltration Over Physical Medium","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1048.001","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1048.001","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1048.001","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1048.001","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1048.001","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1048.003","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1048.003","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1048.003","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1048.003","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1048.003","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1567,"Exfiltration Over Web Service","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1567,"Exfiltration Over Web Service","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1567,"Exfiltration Over Web Service","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1567,"Exfiltration Over Web Service","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1052.001","Exfiltration over USB","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1052.001","Exfiltration over USB","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1052.001","Exfiltration over USB","Drive Creation","Initial construction of a drive letter or mount point to a data storage device"
Detection,,"T1052.001","Exfiltration over USB","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1567.002","Exfiltration to Cloud Storage","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1567.002","Exfiltration to Cloud Storage","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1567.002","Exfiltration to Cloud Storage","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1567.002","Exfiltration to Cloud Storage","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1567.001","Exfiltration to Code Repository","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1567.001","Exfiltration to Code Repository","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1567.001","Exfiltration to Code Repository","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1567.001","Exfiltration to Code Repository","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1190,"Exploit Public-Facing Application","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1190,"Exploit Public-Facing Application","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1068,"Exploitation for Privilege Escalation","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,T1210,"Exploitation of Remote Services","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1210,"Exploitation of Remote Services","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1491.002","External Defacement","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1491.002","External Defacement","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1491.002","External Defacement","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1491.002","External Defacement","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1090.002","External Proxy","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1090.002","External Proxy","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1090.002","External Proxy","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1133,"External Remote Services","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1133,"External Remote Services","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,T1133,"External Remote Services","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1055.011","Extra Window Memory Injection","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1008,"Fallback Channels","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1008,"Fallback Channels","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1568.001","Fast Flux DNS","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1568.001","Fast Flux DNS","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1070.004","File Deletion","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,"T1070.004","File Deletion","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1071.002","File Transfer Protocols","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1071.002","File Transfer Protocols","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1083,"File and Directory Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1083,"File and Directory Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1083,"File and Directory Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1222,"File and Directory Permissions Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1222,"File and Directory Permissions Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1222,"File and Directory Permissions Modification","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1222,"File and Directory Permissions Modification","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1495,"Firmware Corruption","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,T1187,"Forced Authentication","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1187,"Forced Authentication","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1187,"Forced Authentication","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1187,"Forced Authentication","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1187,"Forced Authentication","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1606,"Forge Web Credentials","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1606,"Forge Web Credentials","Web Credential Creation","Initial construction of new web credential material (ex: Windows EID 1200 or 4769)"
Detection,,T1606,"Forge Web Credentials","Web Credential Usage","An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)"
Detection,,"T1056.002","GUI Input Capture","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1056.002","GUI Input Capture","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1056.002","GUI Input Capture","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1553.001","Gatekeeper Bypass","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1553.001","Gatekeeper Bypass","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1553.001","Gatekeeper Bypass","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1553.001","Gatekeeper Bypass","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1592,"Gather Victim Host Information","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1558.001","Golden Ticket","Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,"T1558.001","Golden Ticket","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,T1615,"Group Policy Discovery","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1615,"Group Policy Discovery","Active Directory Object Access","Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)"
Detection,,T1615,"Group Policy Discovery","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1615,"Group Policy Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1615,"Group Policy Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1484.001","Group Policy Modification","Active Directory Object Creation","Initial construction of a new active directory object (ex: Windows EID 5137)"
Detection,,"T1484.001","Group Policy Modification","Active Directory Object Deletion","Removal of an active directory object (ex: Windows EID 5141)"
Detection,,"T1484.001","Group Policy Modification","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,"T1484.001","Group Policy Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1552.006","Group Policy Preferences","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1552.006","Group Policy Preferences","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1027.006","HTML Smuggling","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1592.001",Hardware,"Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1564.005","Hidden File System","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1564.005","Hidden File System","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1564.005","Hidden File System","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,"T1564.001","Hidden Files and Directories","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1564.001","Hidden Files and Directories","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1564.001","Hidden Files and Directories","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1564.001","Hidden Files and Directories","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1564.002","Hidden Users","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1564.002","Hidden Users","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1564.002","Hidden Users","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1564.002","Hidden Users","User Account Creation","Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)"
Detection,,"T1564.002","Hidden Users","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,"T1564.002","Hidden Users","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1564.003","Hidden Window","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1564.003","Hidden Window","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1564.003","Hidden Window","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1564.003","Hidden Window","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1564,"Hide Artifacts","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1564,"Hide Artifacts","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1564,"Hide Artifacts","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1564,"Hide Artifacts","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1564,"Hide Artifacts","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1564,"Hide Artifacts","User Account Creation","Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)"
Detection,,T1564,"Hide Artifacts","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,T1564,"Hide Artifacts","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1564,"Hide Artifacts","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1564,"Hide Artifacts","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1564,"Hide Artifacts","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1564,"Hide Artifacts","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,T1564,"Hide Artifacts","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,T1574,"Hijack Execution Flow","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1574,"Hijack Execution Flow","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1574,"Hijack Execution Flow","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1574,"Hijack Execution Flow","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1574,"Hijack Execution Flow","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1574,"Hijack Execution Flow","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1574,"Hijack Execution Flow","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1505.004","IIS Components","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1505.004","IIS Components","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1505.004","IIS Components","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.012","Image File Execution Options Injection","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.012","Image File Execution Options Injection","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.012","Image File Execution Options Injection","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1562.003","Impair Command History Logging","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1562.003","Impair Command History Logging","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1562,"Impair Defenses","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1562,"Impair Defenses","Process Termination","Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)"
Detection,,T1562,"Impair Defenses","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1562,"Impair Defenses","Windows Registry Key Deletion","Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)"
Detection,,T1562,"Impair Defenses","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1562,"Impair Defenses","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1562,"Impair Defenses","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,T1562,"Impair Defenses","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1562,"Impair Defenses","Firewall Disable","Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)"
Detection,,T1562,"Impair Defenses","Firewall Rule Modification","Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)"
Detection,,T1562,"Impair Defenses","Cloud Service Modification","Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)"
Detection,,T1562,"Impair Defenses","Cloud Service Disable","Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)"
Detection,,T1525,"Implant Internal Image","Image Creation","Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)"
Detection,,T1525,"Implant Internal Image","Image Modification","Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)"
Detection,,"T1562.006","Indicator Blocking","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1562.006","Indicator Blocking","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1562.006","Indicator Blocking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1070,"Indicator Removal on Host","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1070,"Indicator Removal on Host","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,T1070,"Indicator Removal on Host","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1070,"Indicator Removal on Host","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1070,"Indicator Removal on Host","Windows Registry Key Deletion","Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)"
Detection,,T1070,"Indicator Removal on Host","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1070,"Indicator Removal on Host","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1070,"Indicator Removal on Host","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1070,"Indicator Removal on Host","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1070,"Indicator Removal on Host","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1202,"Indirect Command Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1202,"Indirect Command Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1105,"Ingress Tool Transfer","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1105,"Ingress Tool Transfer","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1105,"Ingress Tool Transfer","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1105,"Ingress Tool Transfer","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1490,"Inhibit System Recovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1490,"Inhibit System Recovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1490,"Inhibit System Recovery","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1490,"Inhibit System Recovery","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1490,"Inhibit System Recovery","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,T1056,"Input Capture","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1056,"Input Capture","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,T1056,"Input Capture","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1056,"Input Capture","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1056,"Input Capture","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1056,"Input Capture","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1608.003","Install Digital Certificate","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1553.004","Install Root Certificate","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1553.004","Install Root Certificate","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1553.004","Install Root Certificate","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1553.004","Install Root Certificate","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.004",InstallUtil,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.004",InstallUtil,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1559,"Inter-Process Communication","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1559,"Inter-Process Communication","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1559,"Inter-Process Communication","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1491.001","Internal Defacement","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1491.001","Internal Defacement","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1491.001","Internal Defacement","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1491.001","Internal Defacement","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1090.001","Internal Proxy","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1090.001","Internal Proxy","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1090.001","Internal Proxy","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1534,"Internal Spearphishing","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1534,"Internal Spearphishing","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1534,"Internal Spearphishing","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1016.001","Internet Connection Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1016.001","Internet Connection Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1036.001","Invalid Code Signature","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1059.007",JavaScript,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.007",JavaScript,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1059.007",JavaScript,"Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1059.007",JavaScript,"Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1001.001","Junk Data","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1558.003",Kerberoasting,"Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,"T1547.006","Kernel Modules and Extensions","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.006","Kernel Modules and Extensions","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.006","Kernel Modules and Extensions","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1547.006","Kernel Modules and Extensions","Kernel Module Load","An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls"
Detection,,"T1555.001",Keychain,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1555.001",Keychain,"OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1555.001",Keychain,"File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1056.001",Keylogging,"Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1056.001",Keylogging,"Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,"T1056.001",Keylogging,"OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1546.006","LC_LOAD_DYLIB Addition","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.006","LC_LOAD_DYLIB Addition","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.006","LC_LOAD_DYLIB Addition","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1546.006","LC_LOAD_DYLIB Addition","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1546.006","LC_LOAD_DYLIB Addition","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1557.001","LLMNR/NBT-NS Poisoning and SMB Relay","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1557.001","LLMNR/NBT-NS Poisoning and SMB Relay","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1557.001","LLMNR/NBT-NS Poisoning and SMB Relay","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1557.001","LLMNR/NBT-NS Poisoning and SMB Relay","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1003.004","LSA Secrets","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,"T1003.004","LSA Secrets","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.008","LSASS Driver","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.008","LSASS Driver","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,"T1547.008","LSASS Driver","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.008","LSASS Driver","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1003.001","LSASS Memory","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1003.001","LSASS Memory","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1003.001","LSASS Memory","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1003.001","LSASS Memory","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1570,"Lateral Tool Transfer","Network Share Access","Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)"
Detection,,T1570,"Lateral Tool Transfer","Named Pipe Metadata","Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)"
Detection,,T1570,"Lateral Tool Transfer","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1570,"Lateral Tool Transfer","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1570,"Lateral Tool Transfer","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1570,"Lateral Tool Transfer","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1570,"Lateral Tool Transfer","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1570,"Lateral Tool Transfer","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1543.001","Launch Agent","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1543.001","Launch Agent","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1543.001","Launch Agent","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1543.001","Launch Agent","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1543.001","Launch Agent","Service Modification","Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)"
Detection,,"T1543.004","Launch Daemon","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1543.004","Launch Daemon","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1543.004","Launch Daemon","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1543.004","Launch Daemon","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1543.004","Launch Daemon","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1543.004","Launch Daemon","Service Modification","Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)"
Detection,,"T1569.001",Launchctl,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1569.001",Launchctl,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1569.001",Launchctl,"Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1569.001",Launchctl,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1608.005","Link Target","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1222.002","Linux and Mac File and Directory Permissions Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1222.002","Linux and Mac File and Directory Permissions Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1222.002","Linux and Mac File and Directory Permissions Modification","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1136.001","Local Account","User Account Creation","Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)"
Detection,,"T1136.001","Local Account","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1136.001","Local Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1087.001","Local Account","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1087.001","Local Account","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1087.001","Local Account","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1078.003","Local Accounts","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,"T1078.003","Local Accounts","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1078.003","Local Accounts","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1074.001","Local Data Staging","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1074.001","Local Data Staging","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1074.001","Local Data Staging","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1114.001","Local Email Collection","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1114.001","Local Email Collection","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1069.001","Local Groups","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1069.001","Local Groups","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.015","Login Items","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1547.015","Login Items","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.015","Login Items","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1037.002","Logon Script (Mac)","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1037.002","Logon Script (Mac)","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1037.002","Logon Script (Mac)","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1037.002","Logon Script (Mac)","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1037.001","Logon Script (Windows)","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1037.001","Logon Script (Windows)","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1037.001","Logon Script (Windows)","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.014",MMC,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.014",MMC,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1218.014",MMC,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1127.001",MSBuild,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1127.001",MSBuild,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1071.003","Mail Protocols","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1071.003","Mail Protocols","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1134.003","Make and Impersonate Token","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1134.003","Make and Impersonate Token","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1204.002","Malicious File","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1204.002","Malicious File","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1204.003","Malicious Image","Container Creation","Initial construction of a new container (ex: docker create <container_name>)"
Detection,,"T1204.003","Malicious Image","Container Start","Activation or invocation of a container (ex: docker start or docker restart)"
Detection,,"T1204.003","Malicious Image","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1204.003","Malicious Image","Image Creation","Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)"
Detection,,"T1204.003","Malicious Image","Instance Creation","Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)"
Detection,,"T1204.003","Malicious Image","Instance Start","Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)"
Detection,,"T1204.003","Malicious Image","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1204.001","Malicious Link","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1204.001","Malicious Link","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1204.001","Malicious Link","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1587.001",Malware,"Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,"T1587.001",Malware,"Malware Content","Code, strings, and other signatures that compromise a malicious payload"
Detection,,"T1588.001",Malware,"Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,"T1588.001",Malware,"Malware Content","Code, strings, and other signatures that compromise a malicious payload"
Detection,,"T1553.005","Mark-of-the-Web Bypass","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1553.005","Mark-of-the-Web Bypass","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1036.004","Masquerade Task or Service","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1036.004","Masquerade Task or Service","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,"T1036.004","Masquerade Task or Service","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1036.004","Masquerade Task or Service","Scheduled Job Metadata","Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc."
Detection,,"T1036.004","Masquerade Task or Service","Scheduled Job Modification","Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)"
Detection,,T1036,Masquerading,"Image Metadata","Contextual data about a virtual machine image such as name, resource group, state, or type"
Detection,,T1036,Masquerading,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1036,Masquerading,"Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1036,Masquerading,"Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,T1036,Masquerading,"Scheduled Job Metadata","Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc."
Detection,,T1036,Masquerading,"Scheduled Job Modification","Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)"
Detection,,T1036,Masquerading,"File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1036,Masquerading,"Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,T1036,Masquerading,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1036.005","Match Legitimate Name or Location","Image Metadata","Contextual data about a virtual machine image such as name, resource group, state, or type"
Detection,,"T1036.005","Match Legitimate Name or Location","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1036.005","Match Legitimate Name or Location","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1218.013",Mavinject,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.013",Mavinject,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1556,"Modify Authentication Process","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1556,"Modify Authentication Process","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1556,"Modify Authentication Process","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,T1556,"Modify Authentication Process","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1556,"Modify Authentication Process","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1556,"Modify Authentication Process","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1556,"Modify Authentication Process","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Instance Stop","Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Instance Start","Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Instance Creation","Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Instance Modification","Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Instance Deletion","Removal of an instance (ex: instance.delete within GCP Audit Logs)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Snapshot Creation","Initial construction of a new snapshot (ex: AWS create-snapshot)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Snapshot Modification","Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Snapshot Deletion","Removal of a snapshot (ex: AWS delete-snapshot)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Volume Creation","Initial construction of a cloud volume (ex: AWS create-volume)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Volume Modification","Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)"
Detection,,T1578,"Modify Cloud Compute Infrastructure","Volume Deletion","Removal of a a cloud volume (ex: AWS delete-volume)"
Detection,,T1112,"Modify Registry","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1112,"Modify Registry","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1112,"Modify Registry","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1112,"Modify Registry","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1112,"Modify Registry","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1112,"Modify Registry","Windows Registry Key Deletion","Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)"
Detection,,T1601,"Modify System Image","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1218.005",Mshta,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.005",Mshta,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1218.005",Mshta,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.005",Mshta,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1218.007",Msiexec,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.007",Msiexec,"Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1218.007",Msiexec,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.007",Msiexec,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1104,"Multi-Stage Channels","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1104,"Multi-Stage Channels","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1090.003","Multi-hop Proxy","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1090.003","Multi-hop Proxy","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1090.003","Multi-hop Proxy","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1003.003",NTDS,"File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1003.003",NTDS,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1564.004","NTFS File Attributes","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1564.004","NTFS File Attributes","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1564.004","NTFS File Attributes","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1564.004","NTFS File Attributes","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1106,"Native API","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1106,"Native API","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1546.007","Netsh Helper DLL","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.007","Netsh Helper DLL","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.007","Netsh Helper DLL","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.007","Netsh Helper DLL","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1599.001","Network Address Translation Traversal","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1599.001","Network Address Translation Traversal","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1599,"Network Boundary Bridging","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1599,"Network Boundary Bridging","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1498,"Network Denial of Service","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,T1498,"Network Denial of Service","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1556.004","Network Device Authentication","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1059.008","Network Device CLI","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1602.002","Network Device Configuration Dump","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1602.002","Network Device Configuration Dump","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1037.003","Network Logon Script","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1037.003","Network Logon Script","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1037.003","Network Logon Script","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1037.003","Network Logon Script","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1037.003","Network Logon Script","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1046,"Network Service Scanning","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1046,"Network Service Scanning","Cloud Service Enumeration","An extracted list of cloud services (ex: AWS ECS ListServices)"
Detection,,T1046,"Network Service Scanning","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1070.005","Network Share Connection Removal","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1070.005","Network Share Connection Removal","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1070.005","Network Share Connection Removal","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1070.005","Network Share Connection Removal","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1135,"Network Share Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1135,"Network Share Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1135,"Network Share Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1040,"Network Sniffing","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1040,"Network Sniffing","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1095,"Non-Application Layer Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1095,"Non-Application Layer Protocol","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1132.002","Non-Standard Encoding","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1571,"Non-Standard Port","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1571,"Non-Standard Port","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1571,"Non-Standard Port","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1003,"OS Credential Dumping","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1003,"OS Credential Dumping","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,T1003,"OS Credential Dumping","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1003,"OS Credential Dumping","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1003,"OS Credential Dumping","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,T1003,"OS Credential Dumping","Active Directory Object Access","Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)"
Detection,,T1003,"OS Credential Dumping","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1003,"OS Credential Dumping","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1003,"OS Credential Dumping","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1499.001","OS Exhaustion Flood","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1499.001","OS Exhaustion Flood","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1499.001","OS Exhaustion Flood","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1027,"Obfuscated Files or Information","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1027,"Obfuscated Files or Information","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1027,"Obfuscated Files or Information","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1027,"Obfuscated Files or Information","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1588,"Obtain Capabilities","Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,T1588,"Obtain Capabilities","Malware Content","Code, strings, and other signatures that compromise a malicious payload"
Detection,,T1588,"Obtain Capabilities","Certificate Registration","Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency)"
Detection,,T1588,"Obtain Capabilities","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1218.008",Odbcconf,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.008",Odbcconf,"Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1218.008",Odbcconf,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1137,"Office Application Startup","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1137,"Office Application Startup","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1137,"Office Application Startup","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1137,"Office Application Startup","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1137,"Office Application Startup","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1137,"Office Application Startup","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1137,"Office Application Startup","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1137,"Office Application Startup","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1137.001","Office Template Macros","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1137.001","Office Template Macros","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1137.001","Office Template Macros","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1137.001","Office Template Macros","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1137.001","Office Template Macros","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1137.001","Office Template Macros","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1137.002","Office Test","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1137.002","Office Test","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1137.002","Office Test","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1137.002","Office Test","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1137.002","Office Test","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1137.002","Office Test","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1137.002","Office Test","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1102.003","One-Way Communication","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1102.003","One-Way Communication","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1102.003","One-Way Communication","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1137.003","Outlook Forms","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1137.003","Outlook Forms","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1137.003","Outlook Forms","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1137.004","Outlook Home Page","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1137.004","Outlook Home Page","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1137.004","Outlook Home Page","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1137.005","Outlook Rules","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1137.005","Outlook Rules","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1137.005","Outlook Rules","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1134.004","Parent PID Spoofing","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1134.004","Parent PID Spoofing","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1134.004","Parent PID Spoofing","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1550.002","Pass the Hash","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1550.002","Pass the Hash","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1550.002","Pass the Hash","Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,"T1550.003","Pass the Ticket","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1550.003","Pass the Ticket","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1550.003","Pass the Ticket","Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,"T1110.002","Password Cracking","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1110.002","Password Cracking","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1556.002","Password Filter DLL","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1556.002","Password Filter DLL","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1556.002","Password Filter DLL","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1110.001","Password Guessing","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1110.001","Password Guessing","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1555.005","Password Managers","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1555.005","Password Managers","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1555.005","Password Managers","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1555.005","Password Managers","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1201,"Password Policy Discovery","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,T1201,"Password Policy Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1201,"Password Policy Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1110.003","Password Spraying","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,"T1110.003","Password Spraying","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1601.001","Patch System Image","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.007","Path Interception by PATH Environment Variable","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.007","Path Interception by PATH Environment Variable","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.007","Path Interception by PATH Environment Variable","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.008","Path Interception by Search Order Hijacking","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.008","Path Interception by Search Order Hijacking","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.008","Path Interception by Search Order Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.009","Path Interception by Unquoted Path","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.009","Path Interception by Unquoted Path","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.009","Path Interception by Unquoted Path","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1120,"Peripheral Device Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1120,"Peripheral Device Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1120,"Peripheral Device Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1069,"Permission Groups Discovery","Pod Metadata","Contextual data about a pod and activity around it such as name, ID, namespace, or status"
Detection,,T1069,"Permission Groups Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1069,"Permission Groups Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1069,"Permission Groups Discovery","Group Enumeration","An extracted list of available groups and/or their associated settings (ex: AWS list-groups)"
Detection,,T1069,"Permission Groups Discovery","Group Metadata","Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group"
Detection,,T1069,"Permission Groups Discovery","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1566,Phishing,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1566,Phishing,"Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1566,Phishing,"Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1566,Phishing,"Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1598,"Phishing for Information","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1598,"Phishing for Information","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1598,"Phishing for Information","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1547.011","Plist Modification","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1547.011","Plist Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.011","Plist Modification","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.011","Plist Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1556.003","Pluggable Authentication Modules","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1556.003","Pluggable Authentication Modules","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1205.001","Port Knocking","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1205.001","Port Knocking","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1547.010","Port Monitors","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1547.010","Port Monitors","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1547.010","Port Monitors","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.010","Port Monitors","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1055.002","Portable Executable Injection","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.002","Portable Executable Injection","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.002","Portable Executable Injection","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1059.001",PowerShell,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.001",PowerShell,"Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1059.001",PowerShell,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1059.001",PowerShell,"Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1546.013","PowerShell Profile","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.013","PowerShell Profile","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.013","PowerShell Profile","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1546.013","PowerShell Profile","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1542,"Pre-OS Boot","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1542,"Pre-OS Boot","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1542,"Pre-OS Boot","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,T1542,"Pre-OS Boot","Driver Metadata","Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking"
Detection,,T1542,"Pre-OS Boot","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1542,"Pre-OS Boot","Drive Modification","Changes made to a drive letter or mount point of a data storage device"
Detection,,"T1547.012","Print Processors","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1547.012","Print Processors","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1547.012","Print Processors","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.012","Print Processors","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.012","Print Processors","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,"T1552.004","Private Keys","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1552.004","Private Keys","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1003.007","Proc Filesystem","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1003.007","Proc Filesystem","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1055.009","Proc Memory","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1057,"Process Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1057,"Process Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1057,"Process Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.013","Process Doppelgänging","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.013","Process Doppelgänging","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1055.012","Process Hollowing","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.012","Process Hollowing","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.012","Process Hollowing","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,T1055,"Process Injection","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,T1055,"Process Injection","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1055,"Process Injection","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1055,"Process Injection","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,T1055,"Process Injection","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1055,"Process Injection","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1001.003","Protocol Impersonation","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1572,"Protocol Tunneling","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1572,"Protocol Tunneling","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1572,"Protocol Tunneling","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1090,Proxy,"Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1090,Proxy,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1090,Proxy,"Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1055.008","Ptrace System Calls","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.008","Ptrace System Calls","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.008","Ptrace System Calls","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1216.001",PubPrn,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1216.001",PubPrn,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1216.001",PubPrn,"Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1059.006",Python,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.006",Python,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1012,"Query Registry","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1012,"Query Registry","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1012,"Query Registry","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,T1012,"Query Registry","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1037.004","RC Scripts","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1037.004","RC Scripts","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1037.004","RC Scripts","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1037.004","RC Scripts","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1563.002","RDP Hijacking","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1563.002","RDP Hijacking","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1563.002","RDP Hijacking","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1563.002","RDP Hijacking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1563.002","RDP Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1542.004",ROMMONkit,"Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,"T1547.007","Re-opened Applications","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.007","Re-opened Applications","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1600.001","Reduce Key Space","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1498.002","Reflection Amplification","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1498.002","Reflection Amplification","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1620,"Reflective Code Loading","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1620,"Reflective Code Loading","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1620,"Reflective Code Loading","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.001","Registry Run Keys / Startup Folder","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1547.001","Registry Run Keys / Startup Folder","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.001","Registry Run Keys / Startup Folder","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.001","Registry Run Keys / Startup Folder","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.001","Registry Run Keys / Startup Folder","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.009","Regsvcs/Regasm","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.009","Regsvcs/Regasm","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.010",Regsvr32,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.010",Regsvr32,"Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1218.010",Regsvr32,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.010",Regsvr32,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1219,"Remote Access Software","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1219,"Remote Access Software","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1219,"Remote Access Software","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1219,"Remote Access Software","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1074.002","Remote Data Staging","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1074.002","Remote Data Staging","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1074.002","Remote Data Staging","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1021.001","Remote Desktop Protocol","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1021.001","Remote Desktop Protocol","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1021.001","Remote Desktop Protocol","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1021.001","Remote Desktop Protocol","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1114.002","Remote Email Collection","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1114.002","Remote Email Collection","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1114.002","Remote Email Collection","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1563,"Remote Service Session Hijacking","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1563,"Remote Service Session Hijacking","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1563,"Remote Service Session Hijacking","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1563,"Remote Service Session Hijacking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1563,"Remote Service Session Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1021,"Remote Services","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1021,"Remote Services","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1021,"Remote Services","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1021,"Remote Services","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1021,"Remote Services","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1021,"Remote Services","Network Share Access","Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)"
Detection,,T1021,"Remote Services","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1018,"Remote System Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1018,"Remote System Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1018,"Remote System Discovery","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1018,"Remote System Discovery","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1036.003","Rename System Utilities","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1036.003","Rename System Utilities","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1036.003","Rename System Utilities","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1036.003","Rename System Utilities","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1091,"Replication Through Removable Media","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1091,"Replication Through Removable Media","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1091,"Replication Through Removable Media","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1091,"Replication Through Removable Media","Drive Creation","Initial construction of a drive letter or mount point to a data storage device"
Detection,,"T1564.009","Resource Forking","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1564.009","Resource Forking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1564.009","Resource Forking","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1564.009","Resource Forking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1496,"Resource Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1496,"Resource Hijacking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1496,"Resource Hijacking","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1496,"Resource Hijacking","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1496,"Resource Hijacking","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1496,"Resource Hijacking","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1578.004","Revert Cloud Instance","Instance Modification","Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)"
Detection,,"T1578.004","Revert Cloud Instance","Instance Start","Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)"
Detection,,"T1578.004","Revert Cloud Instance","Instance Stop","Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)"
Detection,,"T1036.002","Right-to-Left Override","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1207,"Rogue Domain Controller","Active Directory Object Creation","Initial construction of a new active directory object (ex: Windows EID 5137)"
Detection,,T1207,"Rogue Domain Controller","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,T1207,"Rogue Domain Controller","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1207,"Rogue Domain Controller","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1014,Rootkit,"Drive Modification","Changes made to a drive letter or mount point of a data storage device"
Detection,,T1014,Rootkit,"Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,"T1564.006","Run Virtual Instance","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1564.006","Run Virtual Instance","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1564.006","Run Virtual Instance","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1564.006","Run Virtual Instance","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1564.006","Run Virtual Instance","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1218.011",Rundll32,"File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1218.011",Rundll32,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.011",Rundll32,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1218.011",Rundll32,"Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1565.003","Runtime Data Manipulation","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1565.003","Runtime Data Manipulation","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1565.003","Runtime Data Manipulation","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,"T1565.003","Runtime Data Manipulation","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1565.003","Runtime Data Manipulation","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1606.002","SAML Tokens","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1606.002","SAML Tokens","Web Credential Creation","Initial construction of new web credential material (ex: Windows EID 1200 or 4769)"
Detection,,"T1606.002","SAML Tokens","Web Credential Usage","An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)"
Detection,,"T1134.005","SID-History Injection","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1134.005","SID-History Injection","User Account Metadata","Contextual data about an account, which may include a username, user ID, environmental data, etc."
Detection,,"T1134.005","SID-History Injection","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,"T1553.003","SIP and Trust Provider Hijacking","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1553.003","SIP and Trust Provider Hijacking","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1553.003","SIP and Trust Provider Hijacking","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1021.002","SMB/Windows Admin Shares","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1021.002","SMB/Windows Admin Shares","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1021.002","SMB/Windows Admin Shares","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1021.002","SMB/Windows Admin Shares","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1021.002","SMB/Windows Admin Shares","Network Share Access","Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)"
Detection,,"T1602.001","SNMP (MIB Dump)","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1602.001","SNMP (MIB Dump)","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1505.001","SQL Stored Procedures","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1021.004",SSH,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1021.004",SSH,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1021.004",SSH,"Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1098.004","SSH Authorized Keys","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1098.004","SSH Authorized Keys","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1098.004","SSH Authorized Keys","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1563.001","SSH Hijacking","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1563.001","SSH Hijacking","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1563.001","SSH Hijacking","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1563.001","SSH Hijacking","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1563.001","SSH Hijacking","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1562.009","Safe Mode Boot","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1562.009","Safe Mode Boot","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1562.009","Safe Mode Boot","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1562.009","Safe Mode Boot","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1595.001","Scanning IP Blocks","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1053.005","Scheduled Task","Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,"T1053.005","Scheduled Task","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1053.005","Scheduled Task","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1053.005","Scheduled Task","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1053,"Scheduled Task/Job","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1053,"Scheduled Task/Job","Container Creation","Initial construction of a new container (ex: docker create <container_name>)"
Detection,,T1053,"Scheduled Task/Job","Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,T1053,"Scheduled Task/Job","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1053,"Scheduled Task/Job","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1053,"Scheduled Task/Job","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1029,"Scheduled Transfer","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1029,"Scheduled Transfer","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1113,"Screen Capture","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1113,"Screen Capture","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.002",Screensaver,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.002",Screensaver,"Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1546.002",Screensaver,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.002",Screensaver,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1546.002",Screensaver,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1594,"Search Victim-Owned Websites","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1003.002","Security Account Manager","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1003.002","Security Account Manager","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,"T1003.002","Security Account Manager","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1518.001","Security Software Discovery","Firewall Metadata","Contextual data about a firewall and activity around it such as name, policy, or status"
Detection,,"T1518.001","Security Software Discovery","Firewall Enumeration","An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)"
Detection,,"T1518.001","Security Software Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1518.001","Security Software Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1518.001","Security Software Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1547.005","Security Support Provider","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.005","Security Support Provider","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.005","Security Support Provider","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1555.002","Securityd Memory","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1555.002","Securityd Memory","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1583.004",Server,"Response Metadata","Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports"
Detection,,"T1583.004",Server,"Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1584.004",Server,"Response Metadata","Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports"
Detection,,"T1584.004",Server,"Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1505,"Server Software Component","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1505,"Server Software Component","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1505,"Server Software Component","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1505,"Server Software Component","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1505,"Server Software Component","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1505,"Server Software Component","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1569.002","Service Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1569.002","Service Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1569.002","Service Execution","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1569.002","Service Execution","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1499.002","Service Exhaustion Flood","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,"T1499.002","Service Exhaustion Flood","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1499.002","Service Exhaustion Flood","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1499.002","Service Exhaustion Flood","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1489,"Service Stop","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1489,"Service Stop","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1489,"Service Stop","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1489,"Service Stop","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,T1489,"Service Stop","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1489,"Service Stop","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1489,"Service Stop","Process Termination","Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)"
Detection,,"T1574.010","Services File Permissions Weakness","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1574.010","Services File Permissions Weakness","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1574.010","Services File Permissions Weakness","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.010","Services File Permissions Weakness","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,"T1574.011","Services Registry Permissions Weakness","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1574.011","Services Registry Permissions Weakness","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1574.011","Services Registry Permissions Weakness","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,"T1574.011","Services Registry Permissions Weakness","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1548.001","Setuid and Setgid","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1548.001","Setuid and Setgid","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1548.001","Setuid and Setgid","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1129,"Shared Modules","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1129,"Shared Modules","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1213.002",Sharepoint,"Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1213.002",Sharepoint,"Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1547.009","Shortcut Modification","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1547.009","Shortcut Modification","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.009","Shortcut Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1218,"Signed Binary Proxy Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1218,"Signed Binary Proxy Execution","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1218,"Signed Binary Proxy Execution","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,T1218,"Signed Binary Proxy Execution","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1218,"Signed Binary Proxy Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1218,"Signed Binary Proxy Execution","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1218,"Signed Binary Proxy Execution","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1216,"Signed Script Proxy Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1216,"Signed Script Proxy Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1216,"Signed Script Proxy Execution","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1558.002","Silver Ticket","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,"T1585.001","Social Media Accounts","Social Media","Established, compromised, or otherwise acquired social media personas"
Detection,,"T1585.001","Social Media Accounts","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1586.001","Social Media Accounts","Social Media","Established, compromised, or otherwise acquired social media personas"
Detection,,"T1586.001","Social Media Accounts","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1592.002",Software,"Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1072,"Software Deployment Tools","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1072,"Software Deployment Tools","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1518,"Software Discovery","Firewall Metadata","Contextual data about a firewall and activity around it such as name, policy, or status"
Detection,,T1518,"Software Discovery","Firewall Enumeration","An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)"
Detection,,T1518,"Software Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1518,"Software Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1518,"Software Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1027.002","Software Packing","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1036.006","Space after Filename","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1566.001","Spearphishing Attachment","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1566.001","Spearphishing Attachment","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1566.001","Spearphishing Attachment","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1566.001","Spearphishing Attachment","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1598.002","Spearphishing Attachment","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1598.002","Spearphishing Attachment","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1598.002","Spearphishing Attachment","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1566.002","Spearphishing Link","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1566.002","Spearphishing Link","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1566.002","Spearphishing Link","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1598.003","Spearphishing Link","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1598.003","Spearphishing Link","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1598.003","Spearphishing Link","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1598.001","Spearphishing Service","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1598.001","Spearphishing Service","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1598.001","Spearphishing Service","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1566.003","Spearphishing via Service","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1566.003","Spearphishing via Service","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1566.003","Spearphishing via Service","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1608,"Stage Capabilities","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1132.001","Standard Encoding","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1037.005","Startup Items","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1037.005","Startup Items","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1037.005","Startup Items","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1037.005","Startup Items","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1528,"Steal Application Access Token","User Account Modification","Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)"
Detection,,T1539,"Steal Web Session Cookie","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1539,"Steal Web Session Cookie","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,T1558,"Steal or Forge Kerberos Tickets","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1558,"Steal or Forge Kerberos Tickets","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1558,"Steal or Forge Kerberos Tickets","Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,T1558,"Steal or Forge Kerberos Tickets","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,"T1027.003",Steganography,"File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1001.002",Steganography,"Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1565.001","Stored Data Manipulation","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1565.001","Stored Data Manipulation","File Deletion","Removal of a file (ex: Sysmon EID 23)"
Detection,,"T1565.001","Stored Data Manipulation","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1553,"Subvert Trust Controls","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,T1553,"Subvert Trust Controls","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1553,"Subvert Trust Controls","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1553,"Subvert Trust Controls","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1553,"Subvert Trust Controls","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1553,"Subvert Trust Controls","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1553,"Subvert Trust Controls","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1548.003","Sudo and Sudo Caching","Process Metadata","Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc."
Detection,,"T1548.003","Sudo and Sudo Caching","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1548.003","Sudo and Sudo Caching","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1548.003","Sudo and Sudo Caching","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1573.001","Symmetric Cryptography","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1497.001","System Checks","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1497.001","System Checks","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1497.001","System Checks","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1542.001","System Firmware","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,T1082,"System Information Discovery","Instance Metadata","Contextual data about an instance and activity around it such as name, type, or status"
Detection,,T1082,"System Information Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1082,"System Information Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1082,"System Information Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1614.001","System Language Discovery","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,"T1614.001","System Language Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1614.001","System Language Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1614.001","System Language Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1614,"System Location Discovery","Instance Metadata","Contextual data about an instance and activity around it such as name, type, or status"
Detection,,T1614,"System Location Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1614,"System Location Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1614,"System Location Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1016,"System Network Configuration Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1016,"System Network Configuration Discovery","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,T1016,"System Network Configuration Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1016,"System Network Configuration Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1049,"System Network Connections Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1049,"System Network Connections Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1049,"System Network Connections Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1033,"System Owner/User Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1033,"System Owner/User Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1007,"System Service Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1007,"System Service Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1569,"System Services","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1569,"System Services","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1569,"System Services","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,T1569,"System Services","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1569,"System Services","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1529,"System Shutdown/Reboot","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1529,"System Shutdown/Reboot","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1529,"System Shutdown/Reboot","Host Status","Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"
Detection,,T1124,"System Time Discovery","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1124,"System Time Discovery","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1124,"System Time Discovery","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1543.002","Systemd Service","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1543.002","Systemd Service","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1543.002","Systemd Service","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1543.002","Systemd Service","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1543.002","Systemd Service","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1543.002","Systemd Service","Service Modification","Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)"
Detection,,"T1053.006","Systemd Timers","Scheduled Job Creation","Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)"
Detection,,"T1053.006","Systemd Timers","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1053.006","Systemd Timers","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1053.006","Systemd Timers","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1542.005","TFTP Boot","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1542.005","TFTP Boot","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1542.005","TFTP Boot","Firmware Modification","Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)"
Detection,,T1080,"Taint Shared Content","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1080,"Taint Shared Content","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1080,"Taint Shared Content","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1080,"Taint Shared Content","Network Share Access","Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)"
Detection,,T1221,"Template Injection","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1221,"Template Injection","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1221,"Template Injection","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1055.003","Thread Execution Hijacking","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.003","Thread Execution Hijacking","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.003","Thread Execution Hijacking","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1055.005","Thread Local Storage","Process Modification","Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)"
Detection,,"T1055.005","Thread Local Storage","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.005","Thread Local Storage","Process Access","Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)"
Detection,,"T1497.003","Time Based Evasion","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1497.003","Time Based Evasion","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1497.003","Time Based Evasion","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1547.003","Time Providers","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.003","Time Providers","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.003","Time Providers","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.003","Time Providers","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1070.006",Timestomp,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1070.006",Timestomp,"File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1134.001","Token Impersonation/Theft","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1134.001","Token Impersonation/Theft","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1588.002",Tool,"Malware Metadata","Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information"
Detection,,"T1020.001","Traffic Duplication","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1020.001","Traffic Duplication","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1205,"Traffic Signaling","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1205,"Traffic Signaling","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1205,"Traffic Signaling","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1537,"Transfer Data to Cloud Account","Snapshot Creation","Initial construction of a new snapshot (ex: AWS create-snapshot)"
Detection,,T1537,"Transfer Data to Cloud Account","Snapshot Modification","Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)"
Detection,,T1537,"Transfer Data to Cloud Account","Cloud Storage Modification","Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)"
Detection,,T1537,"Transfer Data to Cloud Account","Cloud Storage Creation","Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)"
Detection,,"T1565.002","Transmitted Data Manipulation","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1565.002","Transmitted Data Manipulation","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1565.002","Transmitted Data Manipulation","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1505.002","Transport Agent","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1505.002","Transport Agent","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1546.005",Trap,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.005",Trap,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.005",Trap,"File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1546.005",Trap,"File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1127,"Trusted Developer Utilities Proxy Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1127,"Trusted Developer Utilities Proxy Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1199,"Trusted Relationship","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1199,"Trusted Relationship","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,T1199,"Trusted Relationship","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1111,"Two-Factor Authentication Interception","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,T1111,"Two-Factor Authentication Interception","Driver Load","Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)"
Detection,,T1111,"Two-Factor Authentication Interception","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1059.004","Unix Shell","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.004","Unix Shell","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.004","Unix Shell Configuration Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.004","Unix Shell Configuration Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.004","Unix Shell Configuration Modification","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1546.004","Unix Shell Configuration Modification","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,T1552,"Unsecured Credentials","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1552,"Unsecured Credentials","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,T1552,"Unsecured Credentials","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1552,"Unsecured Credentials","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1552,"Unsecured Credentials","Windows Registry Key Access","Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)"
Detection,,T1535,"Unused/Unsupported Cloud Regions","Instance Creation","Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)"
Detection,,"T1608.001","Upload Malware","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1608.002","Upload Tool","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1550,"Use Alternate Authentication Material","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1550,"Use Alternate Authentication Material","Web Credential Usage","An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)"
Detection,,T1550,"Use Alternate Authentication Material","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1550,"Use Alternate Authentication Material","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1550,"Use Alternate Authentication Material","Active Directory Credential Request","A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)"
Detection,,"T1497.002","User Activity Based Checks","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1497.002","User Activity Based Checks","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1497.002","User Activity Based Checks","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1204,"User Execution","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,T1204,"User Execution","Instance Start","Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)"
Detection,,T1204,"User Execution","Instance Creation","Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)"
Detection,,T1204,"User Execution","Image Creation","Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)"
Detection,,T1204,"User Execution","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1204,"User Execution","Container Start","Activation or invocation of a container (ex: docker start or docker restart)"
Detection,,T1204,"User Execution","Container Creation","Initial construction of a new container (ex: docker create <container_name>)"
Detection,,T1204,"User Execution","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,T1204,"User Execution","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1204,"User Execution","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,T1204,"User Execution","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1564.007","VBA Stomping","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1564.007","VBA Stomping","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,"T1055.014","VDSO Hijacking","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1055.014","VDSO Hijacking","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1021.005",VNC,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1021.005",VNC,"Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1021.005",VNC,"Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,T1078,"Valid Accounts","Logon Session Metadata","Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it"
Detection,,T1078,"Valid Accounts","User Account Authentication","An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)"
Detection,,T1078,"Valid Accounts","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1218.012",Verclsid,"Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1218.012",Verclsid,"Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1125,"Video Capture","OS API Execution","Operating system function/method calls executed by a process"
Detection,,T1125,"Video Capture","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1583.003","Virtual Private Server","Response Metadata","Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports"
Detection,,"T1583.003","Virtual Private Server","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1584.003","Virtual Private Server","Response Metadata","Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports"
Detection,,"T1584.003","Virtual Private Server","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,T1497,"Virtualization/Sandbox Evasion","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1497,"Virtualization/Sandbox Evasion","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1497,"Virtualization/Sandbox Evasion","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1059.005","Visual Basic","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.005","Visual Basic","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1059.005","Visual Basic","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1059.005","Visual Basic","Script Execution","Launching a list of commands through a script file (ex: Windows EID 4104)"
Detection,,"T1595.002","Vulnerability Scanning","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1595.002","Vulnerability Scanning","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1600,"Weaken Encryption","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1606.001","Web Cookies","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1606.001","Web Cookies","Web Credential Creation","Initial construction of new web credential material (ex: Windows EID 1200 or 4769)"
Detection,,"T1606.001","Web Cookies","Web Credential Usage","An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)"
Detection,,"T1056.003","Web Portal Capture","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1071.001","Web Protocols","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1071.001","Web Protocols","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1102,"Web Service","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,T1102,"Web Service","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,T1102,"Web Service","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1583.006","Web Services","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1584.006","Web Services","Response Content","Logged network traffic in response to a scan showing both protocol header and body values"
Detection,,"T1550.004","Web Session Cookie","Web Credential Usage","An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)"
Detection,,"T1550.004","Web Session Cookie","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1505.003","Web Shell","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1505.003","Web Shell","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1505.003","Web Shell","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1505.003","Web Shell","Network Traffic Content","Logged network traffic data showing both protocol header and body values (ex: PCAP)"
Detection,,"T1505.003","Web Shell","Network Traffic Flow","Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)"
Detection,,"T1505.003","Web Shell","Application Log Content","Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)"
Detection,,"T1059.003","Windows Command Shell","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1059.003","Windows Command Shell","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1555.004","Windows Credential Manager","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1555.004","Windows Credential Manager","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1555.004","Windows Credential Manager","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1555.004","Windows Credential Manager","File Access","Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
Detection,,"T1222.001","Windows File and Directory Permissions Modification","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1222.001","Windows File and Directory Permissions Modification","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1222.001","Windows File and Directory Permissions Modification","Active Directory Object Modification","Changes made to an active directory object (ex: Windows EID 5163 or 5136)"
Detection,,"T1222.001","Windows File and Directory Permissions Modification","File Metadata","Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
Detection,,T1047,"Windows Management Instrumentation","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1047,"Windows Management Instrumentation","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1047,"Windows Management Instrumentation","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1546.003","Windows Management Instrumentation Event Subscription","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1546.003","Windows Management Instrumentation Event Subscription","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1546.003","Windows Management Instrumentation Event Subscription","WMI Creation","Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)"
Detection,,"T1021.006","Windows Remote Management","Service Metadata","Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc."
Detection,,"T1021.006","Windows Remote Management","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1021.006","Windows Remote Management","Network Connection Creation","Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)"
Detection,,"T1021.006","Windows Remote Management","Logon Session Creation","Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)"
Detection,,"T1021.006","Windows Remote Management","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1543.003","Windows Service","Service Creation","Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)"
Detection,,"T1543.003","Windows Service","Service Modification","Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)"
Detection,,"T1543.003","Windows Service","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1543.003","Windows Service","OS API Execution","Operating system function/method calls executed by a process"
Detection,,"T1543.003","Windows Service","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1543.003","Windows Service","Windows Registry Key Creation","Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)"
Detection,,"T1543.003","Windows Service","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.004","Winlogon Helper DLL","Windows Registry Key Modification","Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)"
Detection,,"T1547.004","Winlogon Helper DLL","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"
Detection,,"T1547.004","Winlogon Helper DLL","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,"T1547.013","XDG Autostart Entries","File Creation","Initial construction of a new file (ex: Sysmon EID 11)"
Detection,,"T1547.013","XDG Autostart Entries","File Modification","Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
Detection,,"T1547.013","XDG Autostart Entries","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,"T1547.013","XDG Autostart Entries","Command Execution","Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)"
Detection,,T1220,"XSL Script Processing","Process Creation","Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688)"
Detection,,T1220,"XSL Script Processing","Module Load","Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)"