1. Home
  2. Data Components
  3. Process Creation

Process Creation

Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDRs provide process telemetry, tracking execution flows and arguments.
  • Windows Event Logs:
    • Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.
  • Sysmon (Windows):
    • Event ID 1 (Process Creation): Provides detailed logging
  • Linux/macOS Monitoring:
    • AuditD (execve syscall): Logs process creation.
    • eBPF/XDP: Used for low-level monitoring of system calls related to process execution.
    • OSQuery: Allows SQL-like queries to track process events (process_events table).
    • Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.
  • Network-Based Monitoring:
    • Zeek (Bro) Logs: Captures network-based process execution related to remote shells.
    • Syslog/OSSEC: Tracks execution of processes on distributed systems.
  • Behavioral SIEM Rules:
    • Monitor process creation for uncommon binaries in user directories.
    • Detect processes with suspicious command-line arguments.
ID: DC0032
Domains: ICS, Mobile, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:EXECVE execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs
auditd:EXECVE EXECVE
auditd:EXECVE execution of unexpected binaries during user shell startup
auditd:EXECVE systemctl spawning managed processes
auditd:EXECVE execve
auditd:EXECVE Execution of dd, shred, wipe targeting block devices
auditd:EXECVE /usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail
auditd:EXECVE None
auditd:EXECVE Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd
auditd:EXECVE Execution of ssh/scp/sftp without corresponding authentication log
auditd:EXECVE Execution of dd/sgdisk with arguments writing to sector 0 or partition table
auditd:EXECVE Execution of dd, shred, or wipe with arguments targeting block devices
auditd:EXECVE systemctl stop auditd, kill -9 , or modifications to /etc/selinux/config
auditd:EXECVE cat|less|grep accessing .bash_history from a non-shell process
auditd:EXECVE Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart
auditd:SYSCALL execve
auditd:SYSCALL execve network tools
auditd:SYSCALL execve calls to soffice.bin with suspicious macro execution flags
auditd:SYSCALL execve of systemctl or service stop
auditd:SYSCALL execve of launchctl or pkill
auditd:SYSCALL execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context
auditd:SYSCALL execve: Electron-based binary spawning shell or script interpreter
auditd:SYSCALL execve calls with high-frequency or known bandwidth-intensive tools
auditd:SYSCALL execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)
auditd:SYSCALL process persists beyond parent shell termination
auditd:SYSCALL execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)
auditd:SYSCALL execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context
auditd:SYSCALL execve: Execution of discovery commands targeting backup binaries, processes, or config paths
auditd:SYSCALL execve: Execution of scripts or binaries spawned from browser processes
auditd:SYSCALL EXECVE
auditd:SYSCALL execve: Execution of bash, python, or perl processes spawned by browser/email client
auditd:SYSCALL execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity.
auditd:SYSCALL SYSCALL record where exe contains passwd/userdel/chage and auid != root
auditd:SYSCALL execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags
auditd:SYSCALL execve on code or jetbrains-gateway with remote flags
auditd:SYSCALL execve of sleep or ping command within script interpreted by bash/python
auditd:SYSCALL execve or socket/connect system calls from processes using crypto libraries
auditd:SYSCALL type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime
auditd:SYSCALL socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(… SO_ATTACH_FILTER|SO_ATTACH_BPF …), bpf(cmd=BPF_PROG_LOAD), open/openat path="/dev/bpf*" (BSD/macOS-like) or setcap cap_net_raw.
auditd:SYSCALL execution of known flash tools (e.g., flashrom, fwupd)
auditd:SYSCALL execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt
auditd:SYSCALL execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)
auditd:SYSCALL execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)
auditd:SYSCALL execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb
auditd:SYSCALL execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)
auditd:SYSCALL execve, connect
auditd:SYSCALL execve logging for /usr/bin/systemctl and systemd-run
auditd:SYSCALL execve: Execution of files saved in mail or download directories
auditd:SYSCALL execve: Execution of CLI tools like psql, mysql, mongo, sqlite3
auditd:SYSCALL execve: Execution of pip, npm, gem, or similar package managers
auditd:SYSCALL fork/exec of service via PID 1 (systemd)
auditd:SYSCALL execve: execve where exe=/usr/bin/python3 or similar interpreter
auditd:SYSCALL Execution of binaries located in /etc/init.d/ or systemd service paths
auditd:SYSCALL execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser
auditd:SYSCALL execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw).
auditd:SYSCALL execve: Execution of binaries/scripts presenting false health messages for security daemons
auditd:SYSCALL execve, setifflags
auditd:SYSCALL execve calls for qemu-system*, kvm, or VBoxHeadless
auditd:SYSCALL execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens
auditd:SYSCALL Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc.
auditd:SYSCALL execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\||\|\s*sh|bash)|base64\s*-d|python\s*-c'
auditd:SYSCALL Invocation of packet generation tools (e.g., hping3, nping) or fork bombs
auditd:SYSCALL execve for proxy tools
auditd:SYSCALL execve or nanosleep with no stdout/stderr I/O
auditd:SYSCALL Execution of dpkg, rpm, or other package manager with list flag
auditd:SYSCALL apache2 or nginx spawning sh, bash, or python interpreter
auditd:SYSCALL execve: Execution of commands modifying iptables/nftables to block selective IPs
auditd:SYSCALL execve with LD_PRELOAD or linker-related environment variables set
auditd:SYSCALL execve of re-parented process
auditd:SYSCALL socket: Suspicious creation of AF_UNIX sockets outside expected daemons
auditd:SYSCALL execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells
auditd:SYSCALL systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system
auditd:SYSCALL execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)
auditd:SYSCALL Execution of network stress tools or anomalies in socket/syscall behavior
auditd:SYSCALL execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)
auditd:SYSCALL execve, unlink
auditd:SYSCALL execve or socket/connect system calls for processes using RSA handshake
auditd:SYSCALL execve: parent process is usb/hid device handler, child process bash/python invoked
auditd:SYSCALL execve: Execution of suspicious exploit binaries targeting security daemons
azure:vmguest Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution
containerd:events New container with suspicious image name or high resource usage
containerd:Events unusual process spawned from container image context
containerd:runtime /var/log/containers/*.log
containers:osquery bandwidth-intensive command execution from within a container namespace
docker:audit Process execution events within container namespace context
docker:events Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container
ebpf:syscalls process execution or network connect from just-created container PID namespace
ebpf:syscalls execve
esxi:cron process or cron activity
esxi:hostd process execution across cloud VM
esxi:hostd execution of esxcli with args matching 'storage', 'filesystem', 'core device list'
esxi:hostd process
esxi:hostd host daemon events related to VM operations and configuration queries during reconnaissance
esxi:shell /root/.ash_history or /etc/init.d/*
esxi:shell /var/log/shell.log
esxi:shell commands containing base64, openssl enc -base64, xxd -p
esxi:shell /var/log/vmkernel.log, /var/log/vmkwarning.log
esxi:shell Shell Execution
esxi:shell None
esxi:shell commands containing long non-standard tokens or custom lookup tables
esxi:vmkernel spawned shell or execution environment activity
esxi:vmkernel Exec
esxi:vmkernel VMware kernel events for hardware and system configuration access during environmental validation
esxi:vobd /var/log/vobd.log
etw:Microsoft-Windows-Kernel-Process provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete
fs:fsusage Execution of disguised binaries
fs:fsusage binary execution of security_authtrampoline
kubernetes:apiserver kubectl exec or kubelet API calls targeting running pods
kubernetes:apiserver exec into pod followed by secret retrieval via API
linux:osquery Execution of binary resolved from $PATH not located in /usr/bin or /bin
linux:osquery process_events
linux:osquery execution of known firewall binaries
linux:osquery execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'
linux:osquery Process execution with LD_PRELOAD or modified library path
linux:osquery process listening or connecting on non-standard ports
linux:osquery Processes linked with libssl or crypto libraries making outbound connections
linux:osquery process execution events for permission modification utilities with command-line analysis
linux:osquery Anomalous parent PID change
linux:osquery child process invoking dynamic linker post-ptrace
linux:osquery socat, ssh, or nc processes opening unexpected ports
linux:osquery processes modifying environment variables related to history logging
linux:syslog KERN messages about eBPF program load/verify or LSM denials related to bpf.
linux:syslog Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http
linux:syslog systemd-udevd spawning user-defined action from RUN+=
linux:Sysmon EventCode=1
linux:Sysmon process creation events linked to container namespaces executing host-level binaries
m365:defender AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
macos:endpointsecurity exec
macos:endpointsecurity exec: Process execution context for loaders calling dlopen/dlsym
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh
macos:endpointsecurity es_event_exec
macos:endpointsecurity exec: arguments contain Base64-like strings
macos:endpointsecurity exec: binary == "/usr/sbin/systemsetup" and args contains "-gettimezone"
macos:endpointSecurity ES_EVENT_TYPE_NOTIFY_EXEC
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of "sharing -l", "smbutil view", "mount_smbfs"
macos:endpointsecurity exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets
macos:endpointsecurity exec events
macos:osquery processes
macos:osquery process_events
macos:osquery process reading browser configuration paths
macos:osquery Execution of non-standard binaries accessing Kerberos APIs
macos:osquery execve
macos:osquery process_events OR launchd
macos:osquery launchd or process_events
macos:osquery parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes.
macos:osquery execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'
macos:osquery execve: Processes unexpectedly invoking Keychain or authentication APIs
macos:osquery Invocation of osascript or dylib injection
macos:osquery query: process_events, launchd, and tcc.db access
macos:osquery exec
macos:osquery process_events where path like '%tcpdump%'
macos:osquery process execution monitoring for permission modification utilities with command-line argument analysis
macos:osquery Execution of flooding tools or compiled packet generators
macos:osquery process_events table
macos:osquery curl, python scripts, rsync with internal share URLs
macos:osquery Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)
macos:osquery Processes executing kextload, spctl, or modifying kernel extension directories
macos:osquery Unsigned or ad-hoc signed process executions in user contexts
macos:osquery process event monitoring with focus on discovery utilities and cryptographic framework usage correlation
macos:osquery launchd, processes
macos:osquery execve: Unsigned or unnotarized processes launched with high privileges
macos:unifiedlog log stream 'eventMessage contains pubsub or broker'
macos:unifiedlog Process execution path inconsistent with baseline PATH directories
macos:unifiedlog Execution of launchctl with suspicious arguments
macos:unifiedlog Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts
macos:unifiedlog exec logs
macos:unifiedlog launch of Terminal.app or shell with non-standard environment setup
macos:unifiedlog process::exec
macos:unifiedlog Electron app spawning unexpected child process
macos:unifiedlog exec or spawn calls to proxy tools or torrent clients
macos:unifiedlog process launch
macos:unifiedlog log stream --info --predicate 'subsystem == "com.apple.cfprefsd"'
macos:unifiedlog execution of security, sqlite3, or unauthorized binaries
macos:unifiedlog Unexpected applications generating outbound DNS queries
macos:unifiedlog Unexpected child process of Safari or Chrome
macos:unifiedlog execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks
macos:unifiedlog process writes or modifies files in excluded paths
macos:unifiedlog process
macos:unifiedlog com.apple.mail.* exec.*
macos:unifiedlog execution of memory inspection tools (lldb, gdb, osqueryi)
macos:unifiedlog background process persists beyond user logout
macos:unifiedlog Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns
macos:unifiedlog None
macos:unifiedlog Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)
macos:unifiedlog exec events where web process starts a shell/tooling
macos:unifiedlog exec of osascript, bash, curl with suspicious parameters
macos:unifiedlog Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list
macos:unifiedlog process and file events via log stream
macos:unifiedlog Browser processes launching unexpected interpreters (osascript, bash)
macos:unifiedlog exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files
macos:unifiedlog process:exec
macos:unifiedlog Execution of osascript, bash, or Terminal initiated from Mail.app or Safari
macos:unifiedlog process activity stream
macos:unifiedlog Post-login execution of unrecognized child process from launchd or loginwindow
macos:unifiedlog process command line contains base64, -enc, openssl enc -base64
macos:unifiedlog Execution of process launched via loginwindow session restore
macos:unifiedlog process: exec + filewrite: ~/.ssh/authorized_keys
macos:unifiedlog Execution of Java apps or other processes with hidden window attributes
macos:unifiedlog Process Execution
macos:unifiedlog process: code or jetbrains-gateway launching with --tunnel or --remote
macos:unifiedlog log stream --predicate 'processImagePath CONTAINS "curl" OR "osascript"'
macos:unifiedlog Process using AES/RC4 routines unexpectedly
macos:unifiedlog process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery
macos:unifiedlog execution of osascript, curl, or unexpected automation
macos:unifiedlog exec /usr/bin/pwpolicy
macos:unifiedlog Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters.
macos:unifiedlog com.apple.firmwareupdater activity or update-firmware binary invoked
macos:unifiedlog exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API
macos:unifiedlog process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary
macos:unifiedlog process:launch
macos:unifiedlog Execution of scp, rsync, curl with remote destination
macos:unifiedlog logMessage contains pbpaste or osascript
macos:unifiedlog process launch of diskutil or system_profiler with SPStorageDataType
macos:unifiedlog Mail.app executing with parameters updating rules state
macos:unifiedlog process_name IN ("VBoxManage", "prlctl") AND command CONTAINS ("list", "show")
macos:unifiedlog exec srm|exec openssl|exec gpg
macos:unifiedlog Execution of process with DYLD_INSERT_LIBRARIES set
macos:unifiedlog process and signing chain events
macos:unifiedlog launchservices events for misleading extensions
macos:unifiedlog launchd services binding to non-standard ports
macos:unifiedlog Execution of binaries with unsigned or anomalously signed certificates
macos:unifiedlog Execution of Terminal, osascript, or other interpreters originating from Mail or Preview
macos:unifiedlog process events
macos:unifiedlog Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents
macos:unifiedlog Process start of Java or native DB client tools
macos:unifiedlog loginwindow or tccd-related entries
macos:unifiedlog Command line invocation of pip3, brew install, npm install from interactive Terminal
macos:unifiedlog Execution of ssh or sftp without corresponding login event
macos:unifiedlog launch of remote desktop app or helper binary
macos:unifiedlog Unexpected processes making network calls based on DNS-derived ports
macos:unifiedlog launchctl spawning new processes
macos:unifiedlog launchctl activity and process creation
macos:unifiedlog Execution of Python, Swift, or other binaries invoking archiving libraries
macos:unifiedlog Process invoking SSL routines from Security framework
macos:unifiedlog Execution of binary listed in newly modified LaunchAgent plist
macos:unifiedlog Execution of bless or nvram modifying boot parameters
macos:unifiedlog Unexpected processes registered with launchd
macos:unifiedlog Process launch
macos:unifiedlog execution of curl, osascript, or unexpected Office processes
macos:unifiedlog Trust validation failures or bypass attempts during notarization and code signing checks
macos:unifiedlog process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}
macos:unifiedlog Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving
macos:unifiedlog process execution events for chmod, chown, chflags with unusual parameters or targets
macos:unifiedlog execve or dylib load from memory without backing file
macos:unifiedlog exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers.
macos:unifiedlog Unusual child process tree indicating attempted recovery after crash
macos:unifiedlog Execution of processes mimicking Apple Security & Privacy GUIs
macos:unifiedlog execution of curl, git, or Office processes with network connections
macos:unifiedlog log stream - process subsystem
macos:unifiedlog Process execution for VBoxHeadless, prl_vm_app, vmware-vmx
macos:unifiedlog process logs
macos:unifiedlog command line or log output shows non-standard encoding routines
macos:unifiedlog Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents
macos:unifiedlog execve: Helper tools invoked through XPC executing unexpected binaries
macos:unifiedlog execution of modified binary without valid signature
macos:unifiedlog exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\||\|\s*sh|bash)|base64 -D|python -c'
macos:unifiedlog process created with repeated ICMP or UDP flood behavior
macos:unifiedlog process: exec
macos:unifiedlog Child processes of Safari, Chrome, or Firefox executing scripting interpreters
macos:unifiedlog Execution of older or non-standard interpreters
macos:unifiedlog process execution events for chmod, chown, chflags with parameter analysis and target path examination
macos:unifiedlog process, socket, and DNS logs
macos:unifiedlog Command line containing `trap` or `echo 'trap` written to login shell files
macos:unifiedlog log collect --predicate
macos:unifiedlog launchd or osascript spawns process with delay command
macos:unifiedlog process:spawn
macos:unifiedlog log stream --predicate 'eventMessage contains "exec"'
macos:unifiedlog Execution of system_profiler or osascript invoking enumeration
macos:unifiedlog httpd spawning bash, zsh, python, or osascript
macos:unifiedlog Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts
macos:unifiedlog execution of security or osascript
macos:unifiedlog launchd spawning processes tied to new or modified LaunchDaemon .plist entries
macos:unifiedlog Execution of ping, nping, or crafted network packets via bash or python to reflection services
macos:unifiedlog System process modifications altering DNS/proxy settings
macos:unifiedlog process: spawn, exec
macos:unifiedlog Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep
macos:unifiedlog Unexpected apps performing repeated DNS lookups
macos:unifiedlog launchservices or loginwindow events
macos:unifiedlog execution of process with DYLD_INSERT_LIBRARIES set
macos:unifiedlog Suspicious Swift/Objective-C or scripting processes writing archive-like outputs
macos:unifiedlog Process creation with parent PID of 1 (launchd)
macos:unifiedlog Execution of diskutil or hdiutil attaching hidden partitions
macos:unifiedlog process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis
macos:unifiedlog Unexpected apps generating frequent DNS queries
macos:unifiedlog process exec
macos:unifiedlog Non-standard processes invoking financial applications or payment APIs
macos:unifiedlog Process exec of remote-control apps or binaries with headless/connect flags
macos:unifiedlog Execution of launchctl unload, kill, or removal of security agent daemons
macos:unifiedlog process activity, exec events
macos:unifiedlog log stream process subsystem
macos:unifiedlog process:exec and kext load events
macos:unifiedlog log stream --info --predicate 'eventMessage CONTAINS "exec"'
macos:unifiedlog Unsigned binary execution following SIP change
macos:unifiedlog exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers
macos:unifiedlog Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes
macos:unifiedlog Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond
macos:unifiedlog process execution of ssh with -L/-R forwarding flags
macos:unifiedlog launchd or cron spawning mining binaries
macos:unifiedlog Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs
macos:unifiedlog Script interpreter invoked by nginx/apache worker process
macos:unifiedlog execution of Office binaries with network activity
macos:unifiedlog launch of bash/zsh/python/osascript targeting key file locations
macos:unifiedlog execution of /sbin/emond with child processes launched
macos:unifiedlog shutdown -h now or reboot
macos:unifiedlog Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags
macos:unifiedlog process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis
macos:unifiedlog execution of curl, rclone, or Office apps invoking network sessions
macos:unifiedlog exec: Execution of kextstat, kextfind, or ioreg targeting driver information
macos:unifiedlog Process creation involving binaries interacting with resource fork data
macos:unifiedlog process event
macos:unifiedlog security OR injection attempts into 1Password OR LastPass
OpenBSM:AuditTrail open/openat of /dev/bpf*; ioctl BIOCSETF-like operations.
OpenBSM:AuditTrail BSM audit events for process execution and system call monitoring during reconnaissance
Process None
WinEventLog:AppLocker EventCode=8003,8004
WinEventLog:Microsoft-Windows-DotNETRuntime Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior
WinEventLog:Microsoft-Windows-Security-Auditing EventCode=4688
WinEventLog:Security EventCode=4688
WinEventlog:Security EventCode=4688
WinEventLog:security EventCode=4688
WinEventLog:Sysmon EventCode=1

Detection Strategy

ID Name Technique Detected
DET0210 Abuse of Domain Accounts T1078.002
DET0413 Abuse of Information Repositories for Data Collection T1213
DET0455 Abuse of PowerShell for Arbitrary Execution T1059.001
DET0120 Account Access Removal via Multi-Platform Audit Correlation T1531
DET0096 Account Manipulation Behavior Chain Detection T1098
DET0415 Application Exhaustion Flood Detection Across Platforms T1499.003
DET0397 Automated Exfiltration Detection Strategy T1020
DET0186 Automated File and API Collection Detection Across Platforms T1119
DET0088 Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002) T1518.002
DET0280 Behavior-Based Registry Modification Detection on Windows T1112
DET0496 Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) T1219
DET0124 Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi T1132.001
DET0326 Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi T1132.002
DET0283 Behavior-chain detection for T1134 Access Token Manipulation on Windows T1134
DET0482 Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows T1134.001
DET0456 Behavior-chain detection for T1134.002 Create Process with Token (Windows) T1134.002
DET0489 Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows) T1134.004
DET0182 Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS T1135
DET0249 Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes T1610
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0191 Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows) T1127.002
DET0585 Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows) T1127.003
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture T1125
DET0172 Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows) T1127
DET0018 Behavior-chain, platform-aware detection strategy for T1129 Shared Modules T1129
DET0021 Behavioral Detection for Service Stop across Platforms T1489
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0329 Behavioral Detection for T1490 - Inhibit System Recovery T1490
DET0100 Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing T1055.004
DET0516 Behavioral Detection of Command and Scripting Interpreter Abuse T1059
DET0165 Behavioral Detection of Command History Clearing T1070.003
DET0389 Behavioral Detection of DLL Injection via Windows API T1055.001
DET0400 Behavioral Detection of DNS Tunneling and Application Layer Abuse T1071.004
DET0360 Behavioral Detection of Domain Group Discovery T1069.002
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0590 Behavioral Detection of External Website Defacement across Platforms T1491.002
DET0102 Behavioral Detection of Input Capture Across Platforms T1056
DET0357 Behavioral Detection of Internet Connection Discovery T1016.001
DET0089 Behavioral Detection of Keylogging Activity Across Platforms T1056.001
DET0114 Behavioral Detection of Local Group Enumeration Across OS Platforms T1069.001
DET0520 Behavioral Detection of Log File Clearing on Linux and macOS T1070.002
DET0266 Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics T1070.008
DET0140 Behavioral Detection of Malicious File Deletion T1070.004
DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy T1036
DET0529 Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls T1106
DET0049 Behavioral Detection of Network History and Configuration Tampering T1070.007
DET0103 Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects T1070.005
DET0378 Behavioral Detection of Obfuscated Files or Information T1027
DET0106 Behavioral Detection of PE Injection via Remote Memory Mapping T1055.002
DET0179 Behavioral Detection of Permission Groups Discovery T1069
DET0508 Behavioral Detection of Process Injection Across Platforms T1055
DET0002 Behavioral Detection of Publish/Subscribe Protocol Misuse for C2 T1071.005
DET0596 Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution T1021.004
DET0521 Behavioral Detection of Spoofed GUI Credential Prompts T1056.002
DET0195 Behavioral Detection of System Network Configuration Discovery T1016
DET0231 Behavioral Detection of Systemd Timer Abuse for Scheduled Execution T1053.006
DET0518 Behavioral Detection of T1498 – Network Denial of Service Across Platforms T1498
DET0295 Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching T1055.003
DET0178 Behavioral Detection of Unauthorized VNC Remote Control Sessions T1021.005
DET0384 Behavioral Detection of Unix Shell Execution T1059.004
DET0093 Behavioral Detection of User Discovery via Local and Remote Enumeration T1033
DET0076 Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript) T1059.005
DET0464 Behavioral Detection of Wi-Fi Discovery Activity T1016.002
DET0202 Behavioral Detection of Windows Command Shell Execution T1059.003
DET0477 Behavioral Detection of WinRM-Based Remote Access T1021.006
DET0131 Behavioral Detection Strategy for Exfiltration Over Alternative Protocol T1048
DET0503 Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001
DET0376 Behavioral Detection Strategy for Network Service Discovery Across Platforms T1046
DET0269 Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity T1021
DET0221 Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS T1123
DET0338 Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) T1550
DET0364 Behavioral Detection Strategy for WMI Execution Abuse on Windows T1047
DET0498 Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows) T1134.003
DET0274 Boot or Logon Autostart Execution Detection Strategy T1547
DET0112 Boot or Logon Initialization Scripts Detection Strategy T1037
DET0341 Clipboard Data Access with Anomalous Context T1115
DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) T1195.002
DET0083 Container CLI and API Abuse via Docker/Kubernetes (T1059.013) T1059.013
DET0446 Credential Access via /etc/passwd and /etc/shadow Parsing T1003.008
DET0085 Credential Dumping from SAM via Registry Dump and Local File Access T1003.002
DET0234 Credential Dumping via Sensitive Memory and Registry Access Correlation T1003
DET0090 Cross-host C2 via Removable Media Relay T1092
DET0591 Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering T1070.006
DET0063 Cross-Platform Behavioral Detection of Python Execution T1059.006
DET0094 Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse T1053
DET0290 Cross-Platform Detection of Cron Job Abuse for Persistence and Execution T1053.003
DET0264 Cross-Platform Detection of JavaScript Execution Abuse T1059.007
DET0333 Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility T1053.002
DET0238 Defacement via File and Web Content Modification Across Platforms T1491
DET0224 Detect Abuse of Component Object Model (T1559.001) T1559.001
DET0198 Detect Abuse of Container APIs for Credential Access T1552.007
DET0504 Detect Abuse of Dynamic Data Exchange (T1559.002) T1559.002
DET0493 Detect Abuse of Inter-Process Communication (T1559) T1559
DET0098 Detect abuse of Windows BITS Jobs for download, execution and persistence T1197
DET0122 Detect Abuse of Windows Time Providers for Persistence T1547.003
DET0335 Detect Abuse of XPC Services (T1559.003) T1559.003
DET0381 Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL T1552.006
DET0385 Detect Access and Parsing of .bash_history Files for Credential Harvesting T1552.003
DET0412 Detect Access or Search for Unsecured Credentials Across Platforms T1552
DET0396 Detect Access to macOS Keychain for Credential Theft T1555.001
DET0307 Detect Access to Unsecured Credential Files Across Platforms T1552.001
DET0312 Detect Active Setup Persistence via StubPath Execution T1547.014
DET0275 Detect Adversary Deobfuscation or Decoding of Files and Payloads T1140
DET0526 Detect Archiving and Encryption of Collected Data (T1560) T1560
DET0438 Detect Archiving via Custom Method (T1560.003) T1560.003
DET0268 Detect Archiving via Library (T1560.002) T1560.002
DET0298 Detect Archiving via Utility (T1560.001) T1560.001
DET0113 Detect AS-REP Roasting Attempts (T1558.004) T1558.004
DET0035 Detect Bidirectional Web Service C2 Channels via Process & Network Correlation T1102.002
DET0523 Detect Code Signing Policy Modification (Windows & macOS) T1553.006
DET0336 Detect Compromise of Host Software Binaries T1554
DET0250 Detect Credential Discovery via Windows Registry Enumeration T1552.002
DET0430 Detect Credentials Access from Password Stores T1555
DET0061 Detect Default File Association Hijack via Registry & Execution Correlation on Windows T1546.001
DET0187 Detect disabled Windows event logging T1562.002
DET0028 Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes T1496.002
DET0288 Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation T1553.001
DET0060 Detect Ingress Tool Transfers via Behavioral Chain T1105
DET0024 Detect Kerberos Ccache File Theft or Abuse (T1558.005) T1558.005
DET0047 Detect Local Email Collection via Outlook Data File Access and Command Line Tooling T1114.001
DET0072 Detect Logon Script Modifications and Execution T1037.001
DET0561 Detect malicious IDE extension install/usage and IDE tunneling T1176.002
DET0454 Detect Malicious Modification of Pluggable Authentication Modules (PAM) T1556.003
DET0589 Detect Modification of Authentication Process via Reversible Encryption T1556.005
DET0104 Detect Modification of Authentication Processes Across Platforms T1556
DET0429 Detect Modification of macOS Startup Items T1037.005
DET0228 Detect Multi-Stage Command and Control Channels T1104
DET0367 Detect Network Logon Script Abuse via Multi-Event Correlation on Windows T1037.003
DET0053 Detect Obfuscated C2 via Network Traffic Analysis T1001
DET0398 Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks T1137
DET0581 Detect One-Way Web Service Command Channels T1102.003
DET0050 Detect Persistence via Malicious Office Add-ins T1137.006
DET0095 Detect Persistence via Malicious Outlook Rules T1137.005
DET0519 Detect Persistence via Office Template Macro Injection or Registry Hijack T1137.001
DET0315 Detect Persistence via Office Test Registry DLL Injection T1137.002
DET0029 Detect Persistence via Outlook Custom Forms Triggered by Malicious Email T1137.003
DET0177 Detect Persistence via Outlook Home Page Exploitation T1137.004
DET0125 Detect persistence via reopened application plist modification (macOS) T1547.007
DET0473 Detect persistent or elevated container services via container runtime or cluster manipulation T1543.005
DET0365 Detect Registry and Startup Folder Persistence (Windows) T1547.001
DET0346 Detect Screen Capture via Commands and API Calls T1113
DET0154 Detect Screensaver-Based Persistence via Registry and Execution Chains T1546.002
DET0020 Detect Shell Configuration Modification for Persistence via Event-Triggered Execution T1546.004
DET0452 Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation T1553
DET0037 Detect Suspicious Access to Browser Credential Stores T1555.003
DET0549 Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms T1552.004
DET0057 Detect Suspicious Access to securityd Memory for Credential Extraction T1555.002
DET0134 Detect Suspicious Access to Windows Credential Manager T1555.004
DET0230 Detect Suspicious or Malicious Code Signing Abuse T1553.002
DET0141 Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution T1497.003
DET0597 Detect Unauthorized Access to Password Managers T1555.005
DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) T1200
DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing T1497.002
DET0404 Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows T1547.004
DET0086 Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation T1546.003
DET0205 Detect XSL Script Abuse via msxsl and wmic T1220
DET0361 Detecting .NET COM Registration Abuse via Regsvcs/Regasm T1218.009
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) T1218.013
DET0350 Detecting Downgrade Attacks T1562.010
DET0025 Detecting Electron Application Abuse for Proxy Execution T1218.015
DET0011 Detecting Junk Data in C2 Channels via Behavioral Analysis T1001.001
DET0044 Detecting Malicious Browser Extensions Across Platforms T1176.001
DET0222 Detecting MMC (.msc) Proxy Execution and Malicious COM Activation T1218.014
DET0506 Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation T1218.005
DET0486 Detecting Odbcconf Proxy Execution of Malicious DLLs T1218.008
DET0593 Detecting OS Credential Dumping via /proc Filesystem Access on Linux T1003.007
DET0440 Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse T1216.002
DET0470 Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation T1001.003
DET0528 Detecting Remote Script Proxy Execution via PubPrn.vbs T1216.001
DET0235 Detecting Steganographic Command and Control via File + Network Correlation T1001.002
DET0588 Detection fo Remote Service Session Hijacking for RDP. T1563.002
DET0311 Detection for Spoofing Security Alerting across OS Platforms T1562.011
DET0034 Detection of Adversarial Process Discovery Behavior T1057
DET0223 Detection of Adversary Abuse of Software Deployment Tools T1072
DET0764 Detection of Adversary-in-the-Middle T0830
DET0414 Detection of AppleScript-Based Execution on macOS T1059.002
DET0097 Detection of Application Window Enumeration via API or Scripting T1010
DET0554 Detection of Bluetooth-Based Data Exfiltration T1011.001
DET0513 Detection of Cached Domain Credential Dumping via Local Hash Cache Access T1003.005
DET0444 Detection of Command and Control Over Application Layer Protocols T1071
DET0655 Detection of Command and Scripting Interpreter T1623
DET0760 Detection of Command-Line Interface T0807
DET0363 Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence T1003.001
DET0139 Detection of Credential Harvesting via API Hooking T1056.004
DET0511 Detection of Data Access and Collection from Removable Media T1025
DET0758 Detection of Data Destruction T0809
DET0146 Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns T1485
DET0123 Detection of Data Exfiltration via Removable Media T1052
DET0749 Detection of Data from Local System T0893
DET0014 Detection of Data Staging Prior to Exfiltration T1074
DET0211 Detection of Direct VM Console Access via Cloud-Native Methods T1021.008
DET0426 Detection of Direct Volume Access for File System Evasion T1006
DET0145 Detection of Disabled or Modified System Firewalls across OS Platforms. T1562.004
DET0270 Detection of Domain or Tenant Policy Modifications via AD and Identity Provider T1484
DET0007 Detection of Domain Trust Discovery via API, Script, and CLI Enumeration T1482
DET0782 Detection of Drive-by Compromise T0817
DET0532 Detection of Event Log Clearing on Windows via Behavioral Chain T1070.001
DET0077 Detection of Exfiltration Over Alternate Network Interfaces T1011
DET0512 Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002
DET0149 Detection of Exfiltration Over Unencrypted Non-C2 Protocol T1048.003
DET0416 Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP) T1071.002
DET0772 Detection of Graphical User Interface T0823
DET0305 Detection of Group Policy Modifications via AD Object Changes and File Activity T1484.001
DET0497 Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. T1562.001
DET0750 Detection of Indicator Removal on Host T0872
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0745 Detection of Lateral Tool Transfer T0867
DET0013 Detection of Local Browser Artifact Access for Reconnaissance T1217
DET0380 Detection of Local Data Collection Prior to Exfiltration T1005
DET0261 Detection of Local Data Staging Prior to Exfiltration T1074.001
DET0437 Detection of LSA Secrets Dumping via Registry and Memory Extraction T1003.004
DET0135 Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3) T1071.003
DET0138 Detection of Malicious Code Execution via InstallUtil.exe T1218.004
DET0194 Detection of Malicious Control Panel Item Execution via control.exe or Rundll32 T1218.002
DET0092 Detection of Malicious or Unauthorized Software Extensions T1176
DET0328 Detection of Malicious Profile Installation via CMSTP.exe T1218.003
DET0117 Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution T1036.004
DET0158 Detection of Msiexec Abuse for Local, Network, and DLL Execution T1218.007
DET0215 Detection of Multi-Platform File Encryption for Impact T1486
DET0132 Detection of Mutex-Based Execution Guardrails Across Platforms T1480.002
DET0770 Detection of Network Connection Enumeration T0840
DET0800 Detection of Network Sniffing T0842
DET0586 Detection of NTDS.dit Credential Dumping from Domain Controllers T1003.003
DET0040 Detection of Persistence Artifact Removal Across Host Platforms T1070.009
DET0081 Detection of Proxy Execution via Trusted Signed Binaries Across Platforms T1218
DET0445 Detection of Proxy Infrastructure Setup and Traffic Bridging T1090
DET0209 Detection of Registry Query for Environmental Discovery T1012
DET0071 Detection of Remote Data Staging Prior to Exfiltration T1074.002
DET0079 Detection of Remote Service Session Hijacking T1563
DET0804 Detection of Remote Services T0886
DET0739 Detection of Remote System Discovery T0846
DET0787 Detection of Remote System Information Discovery T0888
DET0733 Detection of Replication Through Removable Media T0847
DET0466 Detection of Script-Based Proxy Execution via Signed Microsoft Utilities T1216
DET0735 Detection of Scripting T0853
DET0897 Detection of Selective Exclusion T1679
DET0765 Detection of Service Stop T0881
DET0781 Detection of Spearphishing Attachment T0865
DET0898 Detection of Spoofed User-Agent T1036.012
DET0342 Detection of Suspicious Compiled HTML File Execution via hh.exe T1218.001
DET0441 Detection of Suspicious Scheduled Task Creation and Execution on Windows T1053.005
DET0793 Detection of System Binary Proxy Execution T0894
DET0320 Detection of System Network Connections Discovery Across Platforms T1049
DET0571 Detection of System Process Creation or Modification Across Platforms T1543
DET0483 Detection of System Service Discovery Commands Across OS Platforms T1007
DET0253 Detection of Systemd Service Creation or Modification on Linux T1543.002
DET0458 Detection of Trust Relationship Modifications in Domain or Tenant Policies T1484.002
DET0607 Detection of Unix Shell T1623.001
DET0220 Detection of USB-Based Data Exfiltration T1052.001
DET0791 Detection of User Execution T0863
DET0560 Detection of Valid Account Abuse Across Platforms T1078
DET0027 Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets T1071.001
DET0509 Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts T1539
DET0552 Detection of Windows Service Creation or Modification T1543.003
DET0345 Detection Strategy for Abuse Elevation Control Mechanism (T1548) T1548
DET0033 Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification T1546.008
DET0373 Detection Strategy for Addition of Email Delegate Permissions T1098.002
DET0362 Detection Strategy for AppCert DLLs Persistence via Registry Injection T1546.009
DET0017 Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows) T1546.011
DET0332 Detection Strategy for AutoHotKey & AutoIT Abuse T1059.010
DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts T1037.004
DET0545 Detection Strategy for Cloud Administration Command T1651
DET0505 Detection Strategy for Command Obfuscation T1027.010
DET0501 Detection Strategy for Compile After Delivery - Source Code to Executable Transformation T1027.004
DET0281 Detection Strategy for Compressed Payload Creation and Execution T1027.015
DET0065 Detection Strategy for Container Administration Command Abuse T1609
DET0349 Detection Strategy for Content Injection T1659
DET0108 Detection Strategy for Data Encoding in C2 Channels T1132
DET0371 Detection Strategy for Debugger Evasion (T1622) T1622
DET0579 Detection Strategy for Device Driver Discovery T1652
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0366 Detection Strategy for Double File Extension Masquerading T1036.007
DET0091 Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups T1027.007
DET0039 Detection Strategy for Dynamic Resolution across OS Platforms T1568
DET0262 Detection Strategy for Dynamic Resolution through DNS Calculation T1568.003
DET0419 Detection Strategy for Dynamic Resolution using Domain Generation Algorithms. T1568.002
DET0485 Detection Strategy for Dynamic Resolution using Fast Flux DNS T1568.001
DET0192 Detection Strategy for Email Hiding Rules T1564.008
DET0214 Detection Strategy for Embedded Payloads T1027.009
DET0273 Detection Strategy for Encrypted Channel across OS Platforms T1573
DET0543 Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms T1573.002
DET0143 Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms T1573.001
DET0304 Detection Strategy for Endpoint DoS via Application or System Exploitation T1499.004
DET0219 Detection Strategy for Escape to Host T1611
DET0555 Detection Strategy for Event Triggered Execution via emond on macOS T1546.014
DET0369 Detection Strategy for Event Triggered Execution via Trap (T1546.005) T1546.005
DET0557 Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows) T1546.010
DET0015 Detection Strategy for Exclusive Control T1668
DET0348 Detection Strategy for Exfiltration Over C2 Channel T1041
DET0548 Detection Strategy for Exfiltration Over Web Service T1567
DET0153 Detection Strategy for Exfiltration Over Webhook T1567.004
DET0570 Detection Strategy for Exfiltration to Cloud Storage T1567.002
DET0318 Detection Strategy for Exfiltration to Code Repository T1567.001
DET0284 Detection Strategy for Exfiltration to Text Storage Sites T1567.003
DET0174 Detection Strategy for Exploitation for Credential Access T1212
DET0595 Detection Strategy for Exploitation for Defense Evasion T1211
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068
DET0217 Detection Strategy for Extra Window Memory (EWM) Injection on Windows T1055.011
DET0051 Detection Strategy for File/Path Exclusions T1564.012
DET0495 Detection Strategy for Financial Theft T1657
DET0055 Detection strategy for Group Policy Discovery on Windows T1615
DET0502 Detection Strategy for Hidden Artifacts Across Platforms T1564
DET0461 Detection Strategy for Hidden File System Abuse T1564.005
DET0032 Detection Strategy for Hidden Files and Directories T1564.001
DET0321 Detection Strategy for Hidden Virtual Instance Execution T1564.006
DET0128 Detection Strategy for Hidden Windows T1564.003
DET0411 Detection Strategy for Hide Infrastructure T1665
DET0218 Detection Strategy for Hijack Execution Flow across OS platforms. T1574
DET0201 Detection Strategy for Hijack Execution Flow for DLLs T1574.001
DET0064 Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path T1574.009
DET0427 Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness. T1574.011
DET0436 Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness. T1574.010
DET0517 Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows. T1574.014
DET0577 Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows. T1574.013
DET0038 Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness T1574.005
DET0004 Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable. T1574.007
DET0564 Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking T1574.008
DET0479 Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. T1574.012
DET0435 Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking T1574.006
DET0313 Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop T1027.006
DET0422 Detection Strategy for IFEO Injection on Windows T1546.012
DET0067 Detection Strategy for Ignore Process Interrupts T1564.011
DET0317 Detection Strategy for Impair Defenses Across Platforms T1562
DET0563 Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms. T1562.003
DET0189 Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification T1027.005
DET0568 Detection Strategy for Input Injection T1674
DET0322 Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns T1027.016
DET0450 Detection Strategy for Kernel Modules and Extensions Autostart Execution T1547.006
DET0183 Detection Strategy for Lateral Tool Transfer across OS platforms T1570
DET0401 Detection Strategy for Launch Daemon Creation or Modification (macOS) T1543.004
DET0331 Detection Strategy for ListPlanting Injection on Windows T1055.015
DET0405 Detection Strategy for LNK Icon Smuggling T1027.012
DET0255 Detection Strategy for Log Enumeration T1654
DET0244 Detection Strategy for Login Hook Persistence on macOS T1037.002
DET0101 Detection Strategy for Lua Scripting Abuse T1059.011
DET0443 Detection Strategy for Masquerading via Breaking Process Trees T1036.009
DET0226 Detection Strategy for Masquerading via File Type Modification T1036.008
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0246 Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying T1111
DET0575 Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows) T1546.007
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0227 Detection Strategy for Non-Standard Ports T1571
DET0432 Detection Strategy for NTFS File Attribute Abuse (ADS/EAs) T1564.004
DET0553 Detection Strategy for Obfuscated Files or Information: Binary Padding T1027.001
DET0070 Detection Strategy for Phishing across platforms. T1566
DET0109 Detection Strategy for Plist File Modification (T1647) T1647
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0417 Detection Strategy for Power Settings Abuse T1653
DET0451 Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification T1546.013
DET0045 Detection Strategy for Process Argument Spoofing on Windows T1564.010
DET0544 Detection Strategy for Process Doppelgänging on Windows T1055.013
DET0382 Detection Strategy for Process Hollowing on Windows T1055.012
DET0538 Detection Strategy for Protocol Tunneling accross OS platforms. T1572
DET0203 Detection Strategy for Ptrace-Based Process Injection on Linux T1055.008
DET0408 Detection Strategy for Reflection Amplification DoS (T1498.002) T1498.002
DET0300 Detection Strategy for Reflective Code Loading T1620
DET0574 Detection Strategy for Remote System Enumeration Behavior T1018
DET0584 Detection Strategy for Resource Forking on macOS T1564.009
DET0116 Detection Strategy for Safe Mode Boot Abuse T1562.009
DET0399 Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns T1029
DET0236 Detection Strategy for Spearphishing Attachment across OS Platforms T1566.001
DET0107 Detection Strategy for Spearphishing Links T1566.002
DET0115 Detection Strategy for Spearphishing via a Service across OS Platforms T1566.003
DET0181 Detection Strategy for SQL Stored Procedures Abuse via T1505.001 T1505.001
DET0126 Detection Strategy for SSH Key Injection in Authorized Keys T1098.004
DET0256 Detection Strategy for SSH Session Hijacking T1563.001
DET0119 Detection Strategy for Steganographic Abuse in File & Script Execution T1027.003
DET0019 Detection Strategy for Stripped Payloads Across Platforms T1027.008
DET0056 Detection Strategy for Subvert Trust Controls via Install Root Certificate. T1553.004
DET0510 Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior T1027.017
DET0282 Detection Strategy for System Binary Proxy Execution: Regsvr32 T1218.010
DET0565 Detection Strategy for System Language Discovery T1614.001
DET0043 Detection Strategy for System Location Discovery T1614
DET0279 Detection Strategy for System Services across OS platforms. T1569
DET0421 Detection Strategy for System Services Service Execution T1569.002
DET0265 Detection Strategy for System Services: Launchctl T1569.001
DET0073 Detection Strategy for System Services: Systemctl T1569.003
DET0583 Detection Strategy for T1136 - Create Account across platforms T1136
DET0475 Detection Strategy for T1218.011 Rundll32 Abuse T1218.011
DET0042 Detection Strategy for T1218.012 Verclsid Abuse T1218.012
DET0046 Detection Strategy for T1497 Virtualization/Sandbox Evasion T1497
DET0547 Detection Strategy for T1505 - Server Software Component T1505
DET0166 Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) T1505.002
DET0068 Detection Strategy for T1505.004 - Malicious IIS Components T1505.004
DET0212 Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows) T1505.005
DET0278 Detection Strategy for T1542 Pre-OS Boot T1542
DET0099 Detection Strategy for T1542.001 Pre-OS Boot: System Firmware T1542.001
DET0330 Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages T1546.016
DET0375 Detection Strategy for T1546.017 - Udev Rules (Linux) T1546.017
DET0180 Detection Strategy for T1547.009 – Shortcut Modification (Windows) T1547.009
DET0204 Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) T1547.010
DET0121 Detection Strategy for T1547.015 – Login Items on macOS T1547.015
DET0388 Detection Strategy for T1548.002 – Bypass User Account Control (UAC) T1548.002
DET0409 Detection Strategy for T1550.002 - Pass the Hash (Windows) T1550.002
DET0012 Detection Strategy for VBA Stomping T1564.007
DET0448 Detection Strategy for VDSO Hijacking on Linux T1055.014
DET0199 Detection Strategy for Virtual Machine Discovery T1673
DET0343 Direct Network Flood Detection across IaaS, Linux, Windows, and macOS T1498.001
DET0129 Domain Account Enumeration Across Platforms T1087.002
DET0196 Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers T1090.004
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0476 Email Collection via Local Email Access and Auto-Forwarding Behavior T1114
DET0576 Email Forwarding Rule Abuse Detection Across Platforms T1114.003
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0356 Endpoint DoS via OS Exhaustion Flood Detection Strategy T1499.001
DET0208 Endpoint Resource Saturation and Crash Pattern Detection Across Platforms T1499
DET0229 Enumeration of Global Address Lists via Email Account Discovery T1087.003
DET0587 Enumeration of User or Account Information Across Platforms T1087
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0080 Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress) T1190
DET0287 Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps) T1203
DET0118 Exploitation of Remote Services – multi-platform lateral movement detection T1210
DET0325 External Proxy Behavior via Outbound Relay to Intermediate Infrastructure T1090.002
DET0167 Firmware Modification via Flash Tool or Corrupted Firmware Upload T1495
DET0133 IDE Tunneling Detection via Process, File, and Network Behaviors T1219.001
DET0200 Indirect Command Execution – Windows utility abuse behavior chain T1202
DET0075 Internal Proxy Behavior via Lateral Host-to-Host C2 Relay T1090.001
DET0054 Internal Spearphishing via Trusted Accounts T1534
DET0082 Internal Website and System Content Defacement via UI or Messaging Modifications T1491.001
DET0031 Invalid Code Signature Execution Detection via Metadata and Behavioral Context T1036.001
DET0390 Linux Detection Strategy for T1547.013 - XDG Autostart Entries T1547.013
DET0258 Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018) T1546.018
DET0303 Local Account Enumeration Across Host Platforms T1087.001
DET0188 Local Storage Discovery via Drive Enumeration and Filesystem Probing T1680
DET0395 macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection T1548.004
DET0292 Masquerading via Space After Filename - Behavioral Detection Strategy T1036.006
DET0285 Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution T1021.003
DET0530 Multi-Event Detection for SMB Admin Share Lateral Movement T1021.002
DET0327 Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity T1021.001
DET0359 Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling T1090.003
DET0540 Multi-Platform Behavioral Detection for Compute Hijacking T1496.001
DET0372 Multi-Platform Detection Strategy for T1678 - Delay Execution T1678
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0299 Multi-Platform File and Directory Permissions Modification Detection Strategy T1222
DET0559 Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events T1529
DET0392 Multi-Platform Software Discovery Behavior Chain T1518
DET0023 Obfuscated Binary Unpacking Detection via Behavioral Patterns T1027.002
DET0161 Password Policy Discovery – cross-platform behavior-chain analytics T1201
DET0491 Peripheral Device Enumeration via System Utilities and API Calls T1120
DET0302 Port-knock → rule/daemon change → first successful connect (T1205.001) T1205.001
DET0105 Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools T1110.002
DET0370 Recursive Enumeration of Files and Directories Across Privilege Contexts T1083
DET0542 Registry and LSASS Monitoring for Security Support Provider Abuse T1547.005
DET0259 Remote Desktop Software Execution and Beaconing Detection T1219.002
DET0301 Removable Media Execution Chain Detection via File and Process Activity T1091
DET0005 Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path T1036.003
DET0267 Resource Hijacking Detection Strategy T1496
DET0527 Right-to-Left Override Masquerading Detection via Filename and Execution Context T1036.002
DET0016 Security Software Discovery Across Platforms T1518.001
DET0110 Setuid/Setgid Privilege Abuse Detection (Linux/macOS) T1548.001
DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) T1205.002
DET0009 Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) T1195.001
DET0242 Suspicious Database Access and Dump Activity Across Environments (T1213.006) T1213.006
DET0525 System Discovery via Native and Remote Utilities T1082
DET0447 T1136.001 Detection Strategy - Local Account Creation Across Platforms T1136.001
DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms T1136.002
DET0534 TCC Database Manipulation via Launchctl and Unprotected SIP T1548.006
DET0566 Template Injection Detection - Windows T1221
DET0524 Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205 T1205
DET0351 Unix-like File Permission Manipulation Behavioral Chain Detection Strategy T1222.002
DET0340 User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 T1204.004
DET0294 User Execution – Malicious File via download/open → spawn chain (T1204.002) T1204.002
DET0248 User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) T1204.003
DET0066 User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity) T1204.001
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204
DET0252 User-Initiated Malicious Library Installation via Package Manager (T1204.005) T1204.005
DET0168 Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS T1497.001
DET0394 Web Shell Detection via Server Behavior and File Execution Chains T1505.003
DET0481 Windows COM Hijacking Detection via Registry and DLL Load Correlation T1546.015
DET0418 Windows DACL Manipulation Behavioral Chain Detection Strategy T1222.001