|
DET0210
|
Abuse of Domain Accounts
|
Enterprise
|
|
DET0413
|
Abuse of Information Repositories for Data Collection
|
Enterprise
|
|
DET0455
|
Abuse of PowerShell for Arbitrary Execution
|
Enterprise
|
|
DET0120
|
Account Access Removal via Multi-Platform Audit Correlation
|
Enterprise
|
|
DET0096
|
Account Manipulation Behavior Chain Detection
|
Enterprise
|
|
DET0415
|
Application Exhaustion Flood Detection Across Platforms
|
Enterprise
|
|
DET0397
|
Automated Exfiltration Detection Strategy
|
Enterprise
|
|
DET0186
|
Automated File and API Collection Detection Across Platforms
|
Enterprise
|
|
DET0088
|
Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)
|
Enterprise
|
|
DET0280
|
Behavior-Based Registry Modification Detection on Windows
|
Enterprise
|
|
DET0496
|
Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)
|
Enterprise
|
|
DET0124
|
Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi
|
Enterprise
|
|
DET0326
|
Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi
|
Enterprise
|
|
DET0354
|
Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers
|
Enterprise
|
|
DET0283
|
Behavior-chain detection for T1134 Access Token Manipulation on Windows
|
Enterprise
|
|
DET0482
|
Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows
|
Enterprise
|
|
DET0456
|
Behavior-chain detection for T1134.002 Create Process with Token (Windows)
|
Enterprise
|
|
DET0489
|
Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)
|
Enterprise
|
|
DET0136
|
Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)
|
Enterprise
|
|
DET0182
|
Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS
|
Enterprise
|
|
DET0249
|
Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes
|
Enterprise
|
|
DET0556
|
Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)
|
Enterprise
|
|
DET0191
|
Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows)
|
Enterprise
|
|
DET0585
|
Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows)
|
Enterprise
|
|
DET0151
|
Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery
|
Enterprise
|
|
DET0197
|
Behavior-chain, platform-aware detection strategy for T1125 Video Capture
|
Enterprise
|
|
DET0172
|
Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)
|
Enterprise
|
|
DET0018
|
Behavior-chain, platform-aware detection strategy for T1129 Shared Modules
|
Enterprise
|
|
DET0021
|
Behavioral Detection for Service Stop across Platforms
|
Enterprise
|
|
DET0537
|
Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run)
|
Enterprise
|
|
DET0329
|
Behavioral Detection for T1490 - Inhibit System Recovery
|
Enterprise
|
|
DET0100
|
Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing
|
Enterprise
|
|
DET0142
|
Behavioral Detection of CLI Abuse on Network Devices
|
Enterprise
|
|
DET0251
|
Behavioral Detection of Cloud Group Enumeration via API and CLI Access
|
Enterprise
|
|
DET0516
|
Behavioral Detection of Command and Scripting Interpreter Abuse
|
Enterprise
|
|
DET0165
|
Behavioral Detection of Command History Clearing
|
Enterprise
|
|
DET0389
|
Behavioral Detection of DLL Injection via Windows API
|
Enterprise
|
|
DET0400
|
Behavioral Detection of DNS Tunneling and Application Layer Abuse
|
Enterprise
|
|
DET0360
|
Behavioral Detection of Domain Group Discovery
|
Enterprise
|
|
DET0010
|
Behavioral Detection of Event Triggered Execution Across Platforms
|
Enterprise
|
|
DET0590
|
Behavioral Detection of External Website Defacement across Platforms
|
Enterprise
|
|
DET0499
|
Behavioral Detection of Fallback or Alternate C2 Channels
|
Enterprise
|
|
DET0184
|
Behavioral Detection of Indicator Removal Across Platforms
|
Enterprise
|
|
DET0102
|
Behavioral Detection of Input Capture Across Platforms
|
Enterprise
|
|
DET0357
|
Behavioral Detection of Internet Connection Discovery
|
Enterprise
|
|
DET0089
|
Behavioral Detection of Keylogging Activity Across Platforms
|
Enterprise
|
|
DET0114
|
Behavioral Detection of Local Group Enumeration Across OS Platforms
|
Enterprise
|
|
DET0520
|
Behavioral Detection of Log File Clearing on Linux and macOS
|
Enterprise
|
|
DET0266
|
Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics
|
Enterprise
|
|
DET0078
|
Behavioral Detection of Malicious Cloud API Scripting
|
Enterprise
|
|
DET0140
|
Behavioral Detection of Malicious File Deletion
|
Enterprise
|
|
DET0127
|
Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy
|
Enterprise
|
|
DET0529
|
Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls
|
Enterprise
|
|
DET0049
|
Behavioral Detection of Network History and Configuration Tampering
|
Enterprise
|
|
DET0103
|
Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects
|
Enterprise
|
|
DET0378
|
Behavioral Detection of Obfuscated Files or Information
|
Enterprise
|
|
DET0106
|
Behavioral Detection of PE Injection via Remote Memory Mapping
|
Enterprise
|
|
DET0179
|
Behavioral Detection of Permission Groups Discovery
|
Enterprise
|
|
DET0508
|
Behavioral Detection of Process Injection Across Platforms
|
Enterprise
|
|
DET0002
|
Behavioral Detection of Publish/Subscribe Protocol Misuse for C2
|
Enterprise
|
|
DET0008
|
Behavioral Detection of Remote Cloud Logins via Valid Accounts
|
Enterprise
|
|
DET0596
|
Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution
|
Enterprise
|
|
DET0521
|
Behavioral Detection of Spoofed GUI Credential Prompts
|
Enterprise
|
|
DET0195
|
Behavioral Detection of System Network Configuration Discovery
|
Enterprise
|
|
DET0231
|
Behavioral Detection of Systemd Timer Abuse for Scheduled Execution
|
Enterprise
|
|
DET0518
|
Behavioral Detection of T1498 – Network Denial of Service Across Platforms
|
Enterprise
|
|
DET0295
|
Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching
|
Enterprise
|
|
DET0178
|
Behavioral Detection of Unauthorized VNC Remote Control Sessions
|
Enterprise
|
|
DET0384
|
Behavioral Detection of Unix Shell Execution
|
Enterprise
|
|
DET0093
|
Behavioral Detection of User Discovery via Local and Remote Enumeration
|
Enterprise
|
|
DET0076
|
Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)
|
Enterprise
|
|
DET0464
|
Behavioral Detection of Wi-Fi Discovery Activity
|
Enterprise
|
|
DET0202
|
Behavioral Detection of Windows Command Shell Execution
|
Enterprise
|
|
DET0477
|
Behavioral Detection of WinRM-Based Remote Access
|
Enterprise
|
|
DET0052
|
Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching
|
Enterprise
|
|
DET0131
|
Behavioral Detection Strategy for Exfiltration Over Alternative Protocol
|
Enterprise
|
|
DET0503
|
Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol
|
Enterprise
|
|
DET0376
|
Behavioral Detection Strategy for Network Service Discovery Across Platforms
|
Enterprise
|
|
DET0269
|
Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity
|
Enterprise
|
|
DET0221
|
Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS
|
Enterprise
|
|
DET0338
|
Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)
|
Enterprise
|
|
DET0185
|
Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)
|
Enterprise
|
|
DET0364
|
Behavioral Detection Strategy for WMI Execution Abuse on Windows
|
Enterprise
|
|
DET0498
|
Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows)
|
Enterprise
|
|
DET0274
|
Boot or Logon Autostart Execution Detection Strategy
|
Enterprise
|
|
DET0112
|
Boot or Logon Initialization Scripts Detection Strategy
|
Enterprise
|
|
DET0463
|
Brute Force Authentication Failures with Multi-Platform Log Correlation
|
Enterprise
|
|
DET0341
|
Clipboard Data Access with Anomalous Context
|
Enterprise
|
|
DET0386
|
Cloud Account Enumeration via API, CLI, and Scripting Interfaces
|
Enterprise
|
|
DET0309
|
Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)
|
Enterprise
|
|
DET0083
|
Container CLI and API Abuse via Docker/Kubernetes (T1059.013)
|
Enterprise
|
|
DET0446
|
Credential Access via /etc/passwd and /etc/shadow Parsing
|
Enterprise
|
|
DET0085
|
Credential Dumping from SAM via Registry Dump and Local File Access
|
Enterprise
|
|
DET0234
|
Credential Dumping via Sensitive Memory and Registry Access Correlation
|
Enterprise
|
|
DET0460
|
Credential Stuffing Detection via Reused Breached Credentials Across Services
|
Enterprise
|
|
DET0090
|
Cross-host C2 via Removable Media Relay
|
Enterprise
|
|
DET0591
|
Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering
|
Enterprise
|
|
DET0063
|
Cross-Platform Behavioral Detection of Python Execution
|
Enterprise
|
|
DET0094
|
Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse
|
Enterprise
|
|
DET0290
|
Cross-Platform Detection of Cron Job Abuse for Persistence and Execution
|
Enterprise
|
|
DET0573
|
Cross-Platform Detection of Data Transfer to Cloud Account
|
Enterprise
|
|
DET0264
|
Cross-Platform Detection of JavaScript Execution Abuse
|
Enterprise
|
|
DET0333
|
Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility
|
Enterprise
|
|
DET0238
|
Defacement via File and Web Content Modification Across Platforms
|
Enterprise
|
|
DET0224
|
Detect Abuse of Component Object Model (T1559.001)
|
Enterprise
|
|
DET0198
|
Detect Abuse of Container APIs for Credential Access
|
Enterprise
|
|
DET0504
|
Detect Abuse of Dynamic Data Exchange (T1559.002)
|
Enterprise
|
|
DET0493
|
Detect Abuse of Inter-Process Communication (T1559)
|
Enterprise
|
|
DET0488
|
Detect abuse of Trusted Relationships (third-party and delegated admin access)
|
Enterprise
|
|
DET0535
|
Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access
|
Enterprise
|
|
DET0098
|
Detect abuse of Windows BITS Jobs for download, execution and persistence
|
Enterprise
|
|
DET0122
|
Detect Abuse of Windows Time Providers for Persistence
|
Enterprise
|
|
DET0335
|
Detect Abuse of XPC Services (T1559.003)
|
Enterprise
|
|
DET0381
|
Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL
|
Enterprise
|
|
DET0385
|
Detect Access and Parsing of .bash_history Files for Credential Harvesting
|
Enterprise
|
|
DET0412
|
Detect Access or Search for Unsecured Credentials Across Platforms
|
Enterprise
|
|
DET0001
|
Detect Access to Cloud Instance Metadata API (IaaS)
|
Enterprise
|
|
DET0396
|
Detect Access to macOS Keychain for Credential Theft
|
Enterprise
|
|
DET0307
|
Detect Access to Unsecured Credential Files Across Platforms
|
Enterprise
|
|
DET0312
|
Detect Active Setup Persistence via StubPath Execution
|
Enterprise
|
|
DET0275
|
Detect Adversary Deobfuscation or Decoding of Files and Payloads
|
Enterprise
|
|
DET0296
|
Detect Adversary-in-the-Middle via Network and Configuration Anomalies
|
Enterprise
|
|
DET0526
|
Detect Archiving and Encryption of Collected Data (T1560)
|
Enterprise
|
|
DET0438
|
Detect Archiving via Custom Method (T1560.003)
|
Enterprise
|
|
DET0268
|
Detect Archiving via Library (T1560.002)
|
Enterprise
|
|
DET0298
|
Detect Archiving via Utility (T1560.001)
|
Enterprise
|
|
DET0387
|
Detect ARP Cache Poisoning Across Linux, Windows, and macOS
|
Enterprise
|
|
DET0113
|
Detect AS-REP Roasting Attempts (T1558.004)
|
Enterprise
|
|
DET0035
|
Detect Bidirectional Web Service C2 Channels via Process & Network Correlation
|
Enterprise
|
|
DET0507
|
Detect browser session hijacking via privilege, handle access, and remote thread into browsers
|
Enterprise
|
|
DET0523
|
Detect Code Signing Policy Modification (Windows & macOS)
|
Enterprise
|
|
DET0336
|
Detect Compromise of Host Software Binaries
|
Enterprise
|
|
DET0030
|
Detect Conditional Access Policy Modification in Identity and Cloud Platforms
|
Enterprise
|
|
DET0250
|
Detect Credential Discovery via Windows Registry Enumeration
|
Enterprise
|
|
DET0430
|
Detect Credentials Access from Password Stores
|
Enterprise
|
|
DET0061
|
Detect Default File Association Hijack via Registry & Execution Correlation on Windows
|
Enterprise
|
|
DET0468
|
Detect DHCP Spoofing Across Linux, Windows, and macOS
|
Enterprise
|
|
DET0187
|
Detect disabled Windows event logging
|
Enterprise
|
|
DET0271
|
Detect Domain Controller Authentication Process Modification (Skeleton Key)
|
Enterprise
|
|
DET0379
|
Detect Evil Twin Wi-Fi Access Points on Network Devices
|
Enterprise
|
|
DET0028
|
Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes
|
Enterprise
|
|
DET0022
|
Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM
|
Enterprise
|
|
DET0144
|
Detect Forged Kerberos Golden Tickets (T1558.001)
|
Enterprise
|
|
DET0241
|
Detect Forged Kerberos Silver Tickets (T1558.002)
|
Enterprise
|
|
DET0288
|
Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation
|
Enterprise
|
|
DET0293
|
Detect Hybrid Identity Authentication Process Modification
|
Enterprise
|
|
DET0060
|
Detect Ingress Tool Transfers via Behavioral Chain
|
Enterprise
|
|
DET0157
|
Detect Kerberoasting Attempts (T1558.003)
|
Enterprise
|
|
DET0024
|
Detect Kerberos Ccache File Theft or Abuse (T1558.005)
|
Enterprise
|
|
DET0522
|
Detect Kerberos Ticket Theft or Forgery (T1558)
|
Enterprise
|
|
DET0462
|
Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows
|
Enterprise
|
|
DET0047
|
Detect Local Email Collection via Outlook Data File Access and Command Line Tooling
|
Enterprise
|
|
DET0072
|
Detect Logon Script Modifications and Execution
|
Enterprise
|
|
DET0207
|
Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load
|
Enterprise
|
|
DET0561
|
Detect malicious IDE extension install/usage and IDE tunneling
|
Enterprise
|
|
DET0454
|
Detect Malicious Modification of Pluggable Authentication Modules (PAM)
|
Enterprise
|
|
DET0472
|
Detect Malicious Password Filter DLL Registration
|
Enterprise
|
|
DET0257
|
Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files
|
Enterprise
|
|
DET0190
|
Detect MFA Modification or Disabling Across Platforms
|
Enterprise
|
|
DET0589
|
Detect Modification of Authentication Process via Reversible Encryption
|
Enterprise
|
|
DET0104
|
Detect Modification of Authentication Processes Across Platforms
|
Enterprise
|
|
DET0429
|
Detect Modification of macOS Startup Items
|
Enterprise
|
|
DET0272
|
Detect Modification of Network Device Authentication via Patched System Images
|
Enterprise
|
|
DET0228
|
Detect Multi-Stage Command and Control Channels
|
Enterprise
|
|
DET0367
|
Detect Network Logon Script Abuse via Multi-Event Correlation on Windows
|
Enterprise
|
|
DET0580
|
Detect Network Provider DLL Registration and Credential Capture
|
Enterprise
|
|
DET0053
|
Detect Obfuscated C2 via Network Traffic Analysis
|
Enterprise
|
|
DET0398
|
Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks
|
Enterprise
|
|
DET0581
|
Detect One-Way Web Service Command Channels
|
Enterprise
|
|
DET0050
|
Detect Persistence via Malicious Office Add-ins
|
Enterprise
|
|
DET0095
|
Detect Persistence via Malicious Outlook Rules
|
Enterprise
|
|
DET0519
|
Detect Persistence via Office Template Macro Injection or Registry Hijack
|
Enterprise
|
|
DET0315
|
Detect Persistence via Office Test Registry DLL Injection
|
Enterprise
|
|
DET0029
|
Detect Persistence via Outlook Custom Forms Triggered by Malicious Email
|
Enterprise
|
|
DET0177
|
Detect Persistence via Outlook Home Page Exploitation
|
Enterprise
|
|
DET0125
|
Detect persistence via reopened application plist modification (macOS)
|
Enterprise
|
|
DET0473
|
Detect persistent or elevated container services via container runtime or cluster manipulation
|
Enterprise
|
|
DET0365
|
Detect Registry and Startup Folder Persistence (Windows)
|
Enterprise
|
|
DET0159
|
Detect Remote Access via USB Hardware (TinyPilot, PiKVM)
|
Enterprise
|
|
DET0048
|
Detect Remote Email Collection via Abnormal Login and Programmatic Access
|
Enterprise
|
|
DET0346
|
Detect Screen Capture via Commands and API Calls
|
Enterprise
|
|
DET0154
|
Detect Screensaver-Based Persistence via Registry and Execution Chains
|
Enterprise
|
|
DET0020
|
Detect Shell Configuration Modification for Persistence via Event-Triggered Execution
|
Enterprise
|
|
DET0452
|
Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation
|
Enterprise
|
|
DET0037
|
Detect Suspicious Access to Browser Credential Stores
|
Enterprise
|
|
DET0549
|
Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms
|
Enterprise
|
|
DET0057
|
Detect Suspicious Access to securityd Memory for Credential Extraction
|
Enterprise
|
|
DET0134
|
Detect Suspicious Access to Windows Credential Manager
|
Enterprise
|
|
DET0230
|
Detect Suspicious or Malicious Code Signing Abuse
|
Enterprise
|
|
DET0141
|
Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution
|
Enterprise
|
|
DET0130
|
Detect Unauthorized Access to Cloud Secrets Management Stores
|
Enterprise
|
|
DET0597
|
Detect Unauthorized Access to Password Managers
|
Enterprise
|
|
DET0225
|
Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)
|
Enterprise
|
|
DET0069
|
Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)
|
Enterprise
|
|
DET0111
|
Detect Unsecured Credentials Shared in Chat Messages
|
Enterprise
|
|
DET0074
|
Detect Use of Stolen Web Session Cookies Across Platforms
|
Enterprise
|
|
DET0420
|
Detect User Activity Based Sandbox Evasion via Input & Artifact Probing
|
Enterprise
|
|
DET0404
|
Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows
|
Enterprise
|
|
DET0086
|
Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation
|
Enterprise
|
|
DET0205
|
Detect XSL Script Abuse via msxsl and wmic
|
Enterprise
|
|
DET0361
|
Detecting .NET COM Registration Abuse via Regsvcs/Regasm
|
Enterprise
|
|
DET0500
|
Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users
|
Enterprise
|
|
DET0263
|
Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms
|
Enterprise
|
|
DET0433
|
Detecting Code Injection via mavinject.exe (App-V Injector)
|
Enterprise
|
|
DET0350
|
Detecting Downgrade Attacks
|
Enterprise
|
|
DET0025
|
Detecting Electron Application Abuse for Proxy Execution
|
Enterprise
|
|
DET0011
|
Detecting Junk Data in C2 Channels via Behavioral Analysis
|
Enterprise
|
|
DET0044
|
Detecting Malicious Browser Extensions Across Platforms
|
Enterprise
|
|
DET0222
|
Detecting MMC (.msc) Proxy Execution and Malicious COM Activation
|
Enterprise
|
|
DET0506
|
Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation
|
Enterprise
|
|
DET0486
|
Detecting Odbcconf Proxy Execution of Malicious DLLs
|
Enterprise
|
|
DET0593
|
Detecting OS Credential Dumping via /proc Filesystem Access on Linux
|
Enterprise
|
|
DET0440
|
Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse
|
Enterprise
|
|
DET0470
|
Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation
|
Enterprise
|
|
DET0528
|
Detecting Remote Script Proxy Execution via PubPrn.vbs
|
Enterprise
|
|
DET0235
|
Detecting Steganographic Command and Control via File + Network Correlation
|
Enterprise
|
|
DET0550
|
Detecting Suspicious Access to CRM Data in SaaS Environments
|
Enterprise
|
|
DET0567
|
Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments
|
Enterprise
|
|
DET0588
|
Detection fo Remote Service Session Hijacking for RDP.
|
Enterprise
|
|
DET0311
|
Detection for Spoofing Security Alerting across OS Platforms
|
Enterprise
|
|
DET0697
|
Detection of Abuse Accessibility Features
|
Mobile
|
|
DET0642
|
Detection of Abuse Elevation Control Mechanism
|
Mobile
|
|
DET0546
|
Detection of Abused or Compromised Cloud Accounts for Access and Persistence
|
Enterprise
|
|
DET0611
|
Detection of Access Notifications
|
Mobile
|
|
DET0605
|
Detection of Account Access Removal
|
Mobile
|
|
DET0635
|
Detection of Accounts
|
Mobile
|
|
DET0884
|
Detection of Acquire Access
|
Enterprise
|
|
DET0895
|
Detection of Acquire Infrastructure
|
Enterprise
|
|
DET0802
|
Detection of Activate Firmware Update Mode
|
ICS
|
|
DET0830
|
Detection of Active Scanning
|
Enterprise
|
|
DET0034
|
Detection of Adversarial Process Discovery Behavior
|
Enterprise
|
|
DET0223
|
Detection of Adversary Abuse of Software Deployment Tools
|
Enterprise
|
|
DET0247
|
Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)
|
Enterprise
|
|
DET0623
|
Detection of Adversary-in-the-Middle
|
Mobile
|
|
DET0764
|
Detection of Adversary-in-the-Middle
|
ICS
|
|
DET0728
|
Detection of Alarm Suppression
|
ICS
|
|
DET0414
|
Detection of AppleScript-Based Execution on macOS
|
Enterprise
|
|
DET0685
|
Detection of Application Layer Protocol
|
Mobile
|
|
DET0652
|
Detection of Application Versioning
|
Mobile
|
|
DET0097
|
Detection of Application Window Enumeration via API or Scripting
|
Enterprise
|
|
DET0670
|
Detection of Archive Collected Data
|
Mobile
|
|
DET0842
|
Detection of Artificial Intelligence
|
Enterprise
|
|
DET0667
|
Detection of Asymmetric Cryptography
|
Mobile
|
|
DET0673
|
Detection of Audio Capture
|
Mobile
|
|
DET0734
|
Detection of Automated Collection
|
ICS
|
|
DET0748
|
Detection of Autorun Image
|
ICS
|
|
DET0700
|
Detection of Bidirectional Communication
|
Mobile
|
|
DET0784
|
Detection of Block Command Message
|
ICS
|
|
DET0789
|
Detection of Block Reporting Message
|
ICS
|
|
DET0797
|
Detection of Block Serial COM
|
ICS
|
|
DET0554
|
Detection of Bluetooth-Based Data Exfiltration
|
Enterprise
|
|
DET0654
|
Detection of Boot or Logon Initialization Scripts
|
Mobile
|
|
DET0883
|
Detection of Botnet
|
Enterprise
|
|
DET0837
|
Detection of Botnet
|
Enterprise
|
|
DET0711
|
Detection of Broadcast Receivers
|
Mobile
|
|
DET0737
|
Detection of Brute Force I/O
|
ICS
|
|
DET0855
|
Detection of Business Relationships
|
Enterprise
|
|
DET0513
|
Detection of Cached Domain Credential Dumping via Local Hash Cache Access
|
Enterprise
|
|
DET0674
|
Detection of Calendar Entries
|
Mobile
|
|
DET0703
|
Detection of Call Control
|
Mobile
|
|
DET0602
|
Detection of Call Log
|
Mobile
|
|
DET0809
|
Detection of CDNs
|
Enterprise
|
|
DET0771
|
Detection of Change Credential
|
ICS
|
|
DET0755
|
Detection of Change Operating Mode
|
ICS
|
|
DET0820
|
Detection of Client Configurations
|
Enterprise
|
|
DET0643
|
Detection of Clipboard Data
|
Mobile
|
|
DET0879
|
Detection of Cloud Accounts
|
Enterprise
|
|
DET0846
|
Detection of Cloud Accounts
|
Enterprise
|
|
DET0291
|
Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access
|
Enterprise
|
|
DET0805
|
Detection of Code Repositories
|
Enterprise
|
|
DET0833
|
Detection of Code Signing Certificates
|
Enterprise
|
|
DET0875
|
Detection of Code Signing Certificates
|
Enterprise
|
|
DET0619
|
Detection of Code Signing Policy Modification
|
Mobile
|
|
DET0444
|
Detection of Command and Control Over Application Layer Protocols
|
Enterprise
|
|
DET0655
|
Detection of Command and Scripting Interpreter
|
Mobile
|
|
DET0760
|
Detection of Command-Line Interface
|
ICS
|
|
DET0736
|
Detection of Commonly Used Port
|
ICS
|
|
DET0876
|
Detection of Compromise Accounts
|
Enterprise
|
|
DET0649
|
Detection of Compromise Application Executable
|
Mobile
|
|
DET0712
|
Detection of Compromise Client Software Binary
|
Mobile
|
|
DET0604
|
Detection of Compromise Hardware Supply Chain
|
Mobile
|
|
DET0885
|
Detection of Compromise Infrastructure
|
Enterprise
|
|
DET0704
|
Detection of Compromise Software Dependencies and Development Tools
|
Mobile
|
|
DET0721
|
Detection of Compromise Software Supply Chain
|
Mobile
|
|
DET0659
|
Detection of Conceal Multimedia Files
|
Mobile
|
|
DET0759
|
Detection of Connection Proxy
|
ICS
|
|
DET0679
|
Detection of Contact List
|
Mobile
|
|
DET0363
|
Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence
|
Enterprise
|
|
DET0139
|
Detection of Credential Harvesting via API Hooking
|
Enterprise
|
|
DET0480
|
Detection of Credential Harvesting via Web Portal Modification
|
Enterprise
|
|
DET0813
|
Detection of Credentials
|
Enterprise
|
|
DET0633
|
Detection of Credentials from Password Store
|
Mobile
|
|
DET0762
|
Detection of Damage to Property
|
ICS
|
|
DET0511
|
Detection of Data Access and Collection from Removable Media
|
Enterprise
|
|
DET0671
|
Detection of Data Destruction
|
Mobile
|
|
DET0758
|
Detection of Data Destruction
|
ICS
|
|
DET0146
|
Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns
|
Enterprise
|
|
DET0678
|
Detection of Data Encrypted for Impact
|
Mobile
|
|
DET0123
|
Detection of Data Exfiltration via Removable Media
|
Enterprise
|
|
DET0754
|
Detection of Data from Information Repositories
|
ICS
|
|
DET0713
|
Detection of Data from Local System
|
Mobile
|
|
DET0749
|
Detection of Data from Local System
|
ICS
|
|
DET0660
|
Detection of Data Manipulation
|
Mobile
|
|
DET0014
|
Detection of Data Staging Prior to Exfiltration
|
Enterprise
|
|
DET0617
|
Detection of Dead Drop Resolver
|
Mobile
|
|
DET0465
|
Detection of Default Account Abuse Across Platforms
|
Enterprise
|
|
DET0756
|
Detection of Default Credentials
|
ICS
|
|
DET0786
|
Detection of Denial of Control
|
ICS
|
|
DET0723
|
Detection of Denial of Service
|
ICS
|
|
DET0769
|
Detection of Denial of View
|
ICS
|
|
DET0768
|
Detection of Detect Operating Mode
|
ICS
|
|
DET0806
|
Detection of Determine Physical Locations
|
Enterprise
|
|
DET0853
|
Detection of Develop Capabilities
|
Enterprise
|
|
DET0630
|
Detection of Device Administrator Permissions
|
Mobile
|
|
DET0603
|
Detection of Device Lockout
|
Mobile
|
|
DET0801
|
Detection of Device Restart/Shutdown
|
ICS
|
|
DET0831
|
Detection of Digital Certificates
|
Enterprise
|
|
DET0844
|
Detection of Digital Certificates
|
Enterprise
|
|
DET0848
|
Detection of Digital Certificates
|
Enterprise
|
|
DET0211
|
Detection of Direct VM Console Access via Cloud-Native Methods
|
Enterprise
|
|
DET0426
|
Detection of Direct Volume Access for File System Evasion
|
Enterprise
|
|
DET0693
|
Detection of Disable or Modify Tools
|
Mobile
|
|
DET0145
|
Detection of Disabled or Modified System Firewalls across OS Platforms.
|
Enterprise
|
|
DET0710
|
Detection of Disguise Root/Jailbreak Indicators
|
Mobile
|
|
DET0843
|
Detection of DNS
|
Enterprise
|
|
DET0862
|
Detection of DNS Server
|
Enterprise
|
|
DET0891
|
Detection of DNS Server
|
Enterprise
|
|
DET0877
|
Detection of DNS/Passive DNS
|
Enterprise
|
|
DET0669
|
Detection of Domain Generation Algorithms
|
Mobile
|
|
DET0270
|
Detection of Domain or Tenant Policy Modifications via AD and Identity Provider
|
Enterprise
|
|
DET0847
|
Detection of Domain Properties
|
Enterprise
|
|
DET0007
|
Detection of Domain Trust Discovery via API, Script, and CLI Enumeration
|
Enterprise
|
|
DET0863
|
Detection of Domains
|
Enterprise
|
|
DET0892
|
Detection of Domains
|
Enterprise
|
|
DET0618
|
Detection of Download New Code at Runtime
|
Mobile
|
|
DET0614
|
Detection of Drive-By Compromise
|
Mobile
|
|
DET0782
|
Detection of Drive-by Compromise
|
ICS
|
|
DET0825
|
Detection of Drive-by Target
|
Enterprise
|
|
DET0613
|
Detection of Dynamic Resolution
|
Mobile
|
|
DET0861
|
Detection of Email Accounts
|
Enterprise
|
|
DET0835
|
Detection of Email Accounts
|
Enterprise
|
|
DET0814
|
Detection of Email Addresses
|
Enterprise
|
|
DET0857
|
Detection of Employee Names
|
Enterprise
|
|
DET0641
|
Detection of Encrypted Channel
|
Mobile
|
|
DET0627
|
Detection of Endpoint Denial of Service
|
Mobile
|
|
DET0873
|
Detection of Establish Accounts
|
Enterprise
|
|
DET0532
|
Detection of Event Log Clearing on Windows via Behavioral Chain
|
Enterprise
|
|
DET0647
|
Detection of Event Triggered Execution
|
Mobile
|
|
DET0653
|
Detection of Execution Guardrails
|
Mobile
|
|
DET0742
|
Detection of Execution through API
|
ICS
|
|
DET0077
|
Detection of Exfiltration Over Alternate Network Interfaces
|
Enterprise
|
|
DET0698
|
Detection of Exfiltration Over Alternative Protocol
|
Mobile
|
|
DET0512
|
Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
|
Enterprise
|
|
DET0615
|
Detection of Exfiltration Over C2 Channel
|
Mobile
|
|
DET0149
|
Detection of Exfiltration Over Unencrypted Non-C2 Protocol
|
Enterprise
|
|
DET0701
|
Detection of Exfiltration Over Unencrypted Non-C2 Protocol
|
Mobile
|
|
DET0740
|
Detection of Exploit Public-Facing Application
|
ICS
|
|
DET0629
|
Detection of Exploitation for Client Execution
|
Mobile
|
|
DET0795
|
Detection of Exploitation for Evasion
|
ICS
|
|
DET0666
|
Detection of Exploitation for Initial Access
|
Mobile
|
|
DET0665
|
Detection of Exploitation for Privilege Escalation
|
Mobile
|
|
DET0738
|
Detection of Exploitation for Privilege Escalation
|
ICS
|
|
DET0663
|
Detection of Exploitation of Remote Services
|
Mobile
|
|
DET0767
|
Detection of Exploitation of Remote Services
|
ICS
|
|
DET0827
|
Detection of Exploits
|
Enterprise
|
|
DET0894
|
Detection of Exploits
|
Enterprise
|
|
DET0803
|
Detection of External Remote Services
|
ICS
|
|
DET0682
|
Detection of File and Directory Discovery
|
Mobile
|
|
DET0638
|
Detection of File Deletion
|
Mobile
|
|
DET0416
|
Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)
|
Enterprise
|
|
DET0818
|
Detection of Firmware
|
Enterprise
|
|
DET0637
|
Detection of Foreground Persistence
|
Mobile
|
|
DET0826
|
Detection of Gather Victim Host Information
|
Enterprise
|
|
DET0841
|
Detection of Gather Victim Identity Information
|
Enterprise
|
|
DET0869
|
Detection of Gather Victim Network Information
|
Enterprise
|
|
DET0890
|
Detection of Gather Victim Org Information
|
Enterprise
|
|
DET0608
|
Detection of Generate Traffic from Victim
|
Mobile
|
|
DET0648
|
Detection of Geofencing
|
Mobile
|
|
DET0772
|
Detection of Graphical User Interface
|
ICS
|
|
DET0305
|
Detection of Group Policy Modifications via AD Object Changes and File Activity
|
Enterprise
|
|
DET0676
|
Detection of GUI Input Capture
|
Mobile
|
|
DET0798
|
Detection of Hardcoded Credentials
|
ICS
|
|
DET0887
|
Detection of Hardware
|
Enterprise
|
|
DET0640
|
Detection of Hide Artifacts
|
Mobile
|
|
DET0694
|
Detection of Hijack Execution Flow
|
Mobile
|
|
DET0719
|
Detection of Hooking
|
Mobile
|
|
DET0722
|
Detection of Hooking
|
ICS
|
|
DET0774
|
Detection of I/O Image
|
ICS
|
|
DET0849
|
Detection of Identify Business Tempo
|
Enterprise
|
|
DET0807
|
Detection of Identify Roles
|
Enterprise
|
|
DET0687
|
Detection of Impair Defenses
|
Mobile
|
|
DET0497
|
Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.
|
Enterprise
|
|
DET0662
|
Detection of Impersonate SS7 Nodes
|
Mobile
|
|
DET0651
|
Detection of Indicator Removal on Host
|
Mobile
|
|
DET0750
|
Detection of Indicator Removal on Host
|
ICS
|
|
DET0718
|
Detection of Ingress Tool Transfer
|
Mobile
|
|
DET0705
|
Detection of Input Capture
|
Mobile
|
|
DET0612
|
Detection of Input Injection
|
Mobile
|
|
DET0840
|
Detection of Install Digital Certificate
|
Enterprise
|
|
DET0796
|
Detection of Internet Accessible Device
|
ICS
|
|
DET0708
|
Detection of Internet Connection Discovery
|
Mobile
|
|
DET0815
|
Detection of IP Addresses
|
Enterprise
|
|
DET0377
|
Detection of Kernel/User-Level Rootkit Behavior Across Platforms
|
Enterprise
|
|
DET0664
|
Detection of Keychain
|
Mobile
|
|
DET0661
|
Detection of Keylogging
|
Mobile
|
|
DET0745
|
Detection of Lateral Tool Transfer
|
ICS
|
|
DET0434
|
Detection of Launch Agent Creation or Modification on macOS
|
Enterprise
|
|
DET0041
|
Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage
|
Enterprise
|
|
DET0893
|
Detection of Link Target
|
Enterprise
|
|
DET0716
|
Detection of Linked Devices
|
Mobile
|
|
DET0407
|
Detection of Local Account Abuse for Initial Access and Persistence
|
Enterprise
|
|
DET0013
|
Detection of Local Browser Artifact Access for Reconnaissance
|
Enterprise
|
|
DET0380
|
Detection of Local Data Collection Prior to Exfiltration
|
Enterprise
|
|
DET0261
|
Detection of Local Data Staging Prior to Exfiltration
|
Enterprise
|
|
DET0675
|
Detection of Location Tracking
|
Mobile
|
|
DET0645
|
Detection of Lockscreen Bypass
|
Mobile
|
|
DET0729
|
Detection of Loss of Availability
|
ICS
|
|
DET0778
|
Detection of Loss of Control
|
ICS
|
|
DET0757
|
Detection of Loss of Productivity and Revenue
|
ICS
|
|
DET0775
|
Detection of Loss of Protection
|
ICS
|
|
DET0779
|
Detection of Loss of Safety
|
ICS
|
|
DET0763
|
Detection of Loss of View
|
ICS
|
|
DET0437
|
Detection of LSA Secrets Dumping via Registry and Memory Extraction
|
Enterprise
|
|
DET0135
|
Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3)
|
Enterprise
|
|
DET0138
|
Detection of Malicious Code Execution via InstallUtil.exe
|
Enterprise
|
|
DET0194
|
Detection of Malicious Control Panel Item Execution via control.exe or Rundll32
|
Enterprise
|
|
DET0206
|
Detection of Malicious Kubernetes CronJob Scheduling
|
Enterprise
|
|
DET0092
|
Detection of Malicious or Unauthorized Software Extensions
|
Enterprise
|
|
DET0328
|
Detection of Malicious Profile Installation via CMSTP.exe
|
Enterprise
|
|
DET0836
|
Detection of Malvertising
|
Enterprise
|
|
DET0872
|
Detection of Malware
|
Enterprise
|
|
DET0845
|
Detection of Malware
|
Enterprise
|
|
DET0439
|
Detection of Malware Relocation via Suspicious File Movement
|
Enterprise
|
|
DET0773
|
Detection of Manipulate I/O Image
|
ICS
|
|
DET0747
|
Detection of Manipulation of Control
|
ICS
|
|
DET0785
|
Detection of Manipulation of View
|
ICS
|
|
DET0117
|
Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution
|
Enterprise
|
|
DET0715
|
Detection of Masquerading
|
Mobile
|
|
DET0725
|
Detection of Masquerading
|
ICS
|
|
DET0609
|
Detection of Match Legitimate Name or Location
|
Mobile
|
|
DET0777
|
Detection of Modify Alarm Settings
|
ICS
|
|
DET0741
|
Detection of Modify Controller Tasking
|
ICS
|
|
DET0776
|
Detection of Modify Parameter
|
ICS
|
|
DET0783
|
Detection of Modify Program
|
ICS
|
|
DET0790
|
Detection of Module Firmware
|
ICS
|
|
DET0727
|
Detection of Monitor Process State
|
ICS
|
|
DET0158
|
Detection of Msiexec Abuse for Local, Network, and DLL Execution
|
Enterprise
|
|
DET0215
|
Detection of Multi-Platform File Encryption for Impact
|
Enterprise
|
|
DET0132
|
Detection of Mutex-Based Execution Guardrails Across Platforms
|
Enterprise
|
|
DET0717
|
Detection of Native API
|
Mobile
|
|
DET0753
|
Detection of Native API
|
ICS
|
|
DET0770
|
Detection of Network Connection Enumeration
|
ICS
|
|
DET0639
|
Detection of Network Denial of Service
|
Mobile
|
|
DET0859
|
Detection of Network Devices
|
Enterprise
|
|
DET0889
|
Detection of Network Security Appliances
|
Enterprise
|
|
DET0696
|
Detection of Network Service Scanning
|
Mobile
|
|
DET0800
|
Detection of Network Sniffing
|
ICS
|
|
DET0819
|
Detection of Network Topology
|
Enterprise
|
|
DET0828
|
Detection of Network Trust Dependencies
|
Enterprise
|
|
DET0457
|
Detection of Non-Application Layer Protocols for C2
|
Enterprise
|
|
DET0706
|
Detection of Non-Standard Port
|
Mobile
|
|
DET0586
|
Detection of NTDS.dit Credential Dumping from Domain Controllers
|
Enterprise
|
|
DET0720
|
Detection of Obfuscated Files or Information
|
Mobile
|
|
DET0850
|
Detection of Obtain Capabilities
|
Enterprise
|
|
DET0610
|
Detection of One-Way Communication
|
Mobile
|
|
DET0688
|
Detection of Out of Band Data
|
Mobile
|
|
DET0040
|
Detection of Persistence Artifact Removal Across Host Platforms
|
Enterprise
|
|
DET0684
|
Detection of Phishing
|
Mobile
|
|
DET0823
|
Detection of Phishing for Information
|
Enterprise
|
|
DET0788
|
Detection of Point & Tag Identification
|
ICS
|
|
DET0598
|
Detection of Prevent Application Removal
|
Mobile
|
|
DET0692
|
Detection of Process Discovery
|
Mobile
|
|
DET0632
|
Detection of Process Injection
|
Mobile
|
|
DET0752
|
Detection of Program Download
|
ICS
|
|
DET0761
|
Detection of Program Upload
|
ICS
|
|
DET0766
|
Detection of Project File Infection
|
ICS
|
|
DET0681
|
Detection of Protected User Data
|
Mobile
|
|
DET0081
|
Detection of Proxy Execution via Trusted Signed Binaries Across Platforms
|
Enterprise
|
|
DET0445
|
Detection of Proxy Infrastructure Setup and Traffic Bridging
|
Enterprise
|
|
DET0631
|
Detection of Proxy Through Victim
|
Mobile
|
|
DET0622
|
Detection of Ptrace System Calls
|
Mobile
|
|
DET0880
|
Detection of Purchase Technical Data
|
Enterprise
|
|
DET0209
|
Detection of Registry Query for Environmental Discovery
|
Enterprise
|
|
DET0624
|
Detection of Remote Access Software
|
Mobile
|
|
DET0071
|
Detection of Remote Data Staging Prior to Exfiltration
|
Enterprise
|
|
DET0702
|
Detection of Remote Device Management Services
|
Mobile
|
|
DET0079
|
Detection of Remote Service Session Hijacking
|
Enterprise
|
|
DET0804
|
Detection of Remote Services
|
ICS
|
|
DET0739
|
Detection of Remote System Discovery
|
ICS
|
|
DET0787
|
Detection of Remote System Information Discovery
|
ICS
|
|
DET0691
|
Detection of Replication Through Removable Media
|
Mobile
|
|
DET0733
|
Detection of Replication Through Removable Media
|
ICS
|
|
DET0792
|
Detection of Rogue Master
|
ICS
|
|
DET0780
|
Detection of Rootkit
|
ICS
|
|
DET0858
|
Detection of Scan Databases
|
Enterprise
|
|
DET0817
|
Detection of Scanning IP Blocks
|
Enterprise
|
|
DET0707
|
Detection of Scheduled Task/Job
|
Mobile
|
|
DET0668
|
Detection of Screen Capture
|
Mobile
|
|
DET0751
|
Detection of Screen Capture
|
ICS
|
|
DET0466
|
Detection of Script-Based Proxy Execution via Signed Microsoft Utilities
|
Enterprise
|
|
DET0735
|
Detection of Scripting
|
ICS
|
|
DET0822
|
Detection of Search Closed Sources
|
Enterprise
|
|
DET0811
|
Detection of Search Engines
|
Enterprise
|
|
DET0860
|
Detection of Search Open Technical Databases
|
Enterprise
|
|
DET0856
|
Detection of Search Open Websites/Domains
|
Enterprise
|
|
DET0866
|
Detection of Search Threat Vendor Data
|
Enterprise
|
|
DET0810
|
Detection of Search Victim-Owned Websites
|
Enterprise
|
|
DET0680
|
Detection of Security Software Discovery
|
Mobile
|
|
DET0897
|
Detection of Selective Exclusion
|
Enterprise
|
|
DET0881
|
Detection of SEO Poisoning
|
Enterprise
|
|
DET0874
|
Detection of Server
|
Enterprise
|
|
DET0871
|
Detection of Server
|
Enterprise
|
|
DET0829
|
Detection of Serverless
|
Enterprise
|
|
DET0864
|
Detection of Serverless
|
Enterprise
|
|
DET0765
|
Detection of Service Stop
|
ICS
|
|
DET0658
|
Detection of SIM Card Swap
|
Mobile
|
|
DET0599
|
Detection of SMS Control
|
Mobile
|
|
DET0686
|
Detection of SMS Messages
|
Mobile
|
|
DET0812
|
Detection of Social Media
|
Enterprise
|
|
DET0870
|
Detection of Social Media Accounts
|
Enterprise
|
|
DET0851
|
Detection of Social Media Accounts
|
Enterprise
|
|
DET0888
|
Detection of Software
|
Enterprise
|
|
DET0600
|
Detection of Software Discovery
|
Mobile
|
|
DET0644
|
Detection of Software Packing
|
Mobile
|
|
DET0865
|
Detection of Spearphishing Attachment
|
Enterprise
|
|
DET0781
|
Detection of Spearphishing Attachment
|
ICS
|
|
DET0878
|
Detection of Spearphishing Link
|
Enterprise
|
|
DET0821
|
Detection of Spearphishing Service
|
Enterprise
|
|
DET0886
|
Detection of Spearphishing Voice
|
Enterprise
|
|
DET0746
|
Detection of Spoof Reporting Message
|
ICS
|
|
DET0898
|
Detection of Spoofed User-Agent
|
Enterprise
|
|
DET0646
|
Detection of SSL Pinning
|
Mobile
|
|
DET0839
|
Detection of Stage Capabilities
|
Enterprise
|
|
DET0799
|
Detection of Standard Application Layer Protocol
|
ICS
|
|
DET0656
|
Detection of Steal Application Access Token
|
Mobile
|
|
DET0677
|
Detection of Steganography
|
Mobile
|
|
DET0621
|
Detection of Stored Application Data
|
Mobile
|
|
DET0657
|
Detection of Subvert Trust Controls
|
Mobile
|
|
DET0628
|
Detection of Supply Chain Compromise
|
Mobile
|
|
DET0730
|
Detection of Supply Chain Compromise
|
ICS
|
|
DET0714
|
Detection of Suppress Application Icon
|
Mobile
|
|
DET0342
|
Detection of Suspicious Compiled HTML File Execution via hh.exe
|
Enterprise
|
|
DET0441
|
Detection of Suspicious Scheduled Task Creation and Execution on Windows
|
Enterprise
|
|
DET0650
|
Detection of Symmetric Cryptography
|
Mobile
|
|
DET0793
|
Detection of System Binary Proxy Execution
|
ICS
|
|
DET0625
|
Detection of System Checks
|
Mobile
|
|
DET0731
|
Detection of System Firmware
|
ICS
|
|
DET0601
|
Detection of System Information Discovery
|
Mobile
|
|
DET0634
|
Detection of System Network Configuration Discovery
|
Mobile
|
|
DET0636
|
Detection of System Network Connections Discovery
|
Mobile
|
|
DET0320
|
Detection of System Network Connections Discovery Across Platforms
|
Enterprise
|
|
DET0571
|
Detection of System Process Creation or Modification Across Platforms
|
Enterprise
|
|
DET0689
|
Detection of System Runtime API Hijacking
|
Mobile
|
|
DET0483
|
Detection of System Service Discovery Commands Across OS Platforms
|
Enterprise
|
|
DET0253
|
Detection of Systemd Service Creation or Modification on Linux
|
Enterprise
|
|
DET0471
|
Detection of Tainted Content Written to Shared Storage
|
Enterprise
|
|
DET0732
|
Detection of Theft of Operational Information
|
ICS
|
|
DET0816
|
Detection of Threat Intel Vendors
|
Enterprise
|
|
DET0852
|
Detection of Tool
|
Enterprise
|
|
DET0744
|
Detection of Transient Cyber Asset
|
ICS
|
|
DET0683
|
Detection of Transmitted Data Manipulation
|
Mobile
|
|
DET0458
|
Detection of Trust Relationship Modifications in Domain or Tenant Policies
|
Enterprise
|
|
DET0794
|
Detection of Unauthorized Command Message
|
ICS
|
|
DET0594
|
Detection of Unauthorized DCSync Operations via Replication API Abuse
|
Enterprise
|
|
DET0690
|
Detection of Uninstall Malicious Application
|
Mobile
|
|
DET0607
|
Detection of Unix Shell
|
Mobile
|
|
DET0824
|
Detection of Upload Malware
|
Enterprise
|
|
DET0834
|
Detection of Upload Tool
|
Enterprise
|
|
DET0626
|
Detection of URI Hijacking
|
Mobile
|
|
DET0220
|
Detection of USB-Based Data Exfiltration
|
Enterprise
|
|
DET0699
|
Detection of User Evasion
|
Mobile
|
|
DET0791
|
Detection of User Execution
|
ICS
|
|
DET0560
|
Detection of Valid Account Abuse Across Platforms
|
Enterprise
|
|
DET0724
|
Detection of Valid Accounts
|
ICS
|
|
DET0695
|
Detection of Video Capture
|
Mobile
|
|
DET0854
|
Detection of Virtual Private Server
|
Enterprise
|
|
DET0838
|
Detection of Virtual Private Server
|
Enterprise
|
|
DET0606
|
Detection of Virtualization Solution
|
Mobile
|
|
DET0616
|
Detection of Virtualization/Sandbox Evasion
|
Mobile
|
|
DET0808
|
Detection of Vulnerabilities
|
Enterprise
|
|
DET0867
|
Detection of Vulnerability Scanning
|
Enterprise
|
|
DET0027
|
Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets
|
Enterprise
|
|
DET0620
|
Detection of Web Protocols
|
Mobile
|
|
DET0672
|
Detection of Web Service
|
Mobile
|
|
DET0882
|
Detection of Web Services
|
Enterprise
|
|
DET0896
|
Detection of Web Services
|
Enterprise
|
|
DET0509
|
Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts
|
Enterprise
|
|
DET0832
|
Detection of WHOIS
|
Enterprise
|
|
DET0709
|
Detection of Wi-Fi Discovery
|
Mobile
|
|
DET0552
|
Detection of Windows Service Creation or Modification
|
Enterprise
|
|
DET0726
|
Detection of Wireless Compromise
|
ICS
|
|
DET0743
|
Detection of Wireless Sniffing
|
ICS
|
|
DET0868
|
Detection of Wordlist Scanning
|
Enterprise
|
|
DET0541
|
Detection Strategy for /proc Memory Injection on Linux
|
Enterprise
|
|
DET0345
|
Detection Strategy for Abuse Elevation Control Mechanism (T1548)
|
Enterprise
|
|
DET0033
|
Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification
|
Enterprise
|
|
DET0373
|
Detection Strategy for Addition of Email Delegate Permissions
|
Enterprise
|
|
DET0531
|
Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS
|
Enterprise
|
|
DET0362
|
Detection Strategy for AppCert DLLs Persistence via Registry Injection
|
Enterprise
|
|
DET0017
|
Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)
|
Enterprise
|
|
DET0332
|
Detection Strategy for AutoHotKey & AutoIT Abuse
|
Enterprise
|
|
DET0428
|
Detection Strategy for Bind Mounts on Linux
|
Enterprise
|
|
DET0237
|
Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts
|
Enterprise
|
|
DET0459
|
Detection Strategy for Build Image on Host
|
Enterprise
|
|
DET0545
|
Detection Strategy for Cloud Administration Command
|
Enterprise
|
|
DET0539
|
Detection Strategy for Cloud Application Integration
|
Enterprise
|
|
DET0169
|
Detection Strategy for Cloud Infrastructure Discovery
|
Enterprise
|
|
DET0402
|
Detection Strategy for Cloud Service Discovery
|
Enterprise
|
|
DET0147
|
Detection Strategy for Cloud Service Hijacking via SaaS Abuse
|
Enterprise
|
|
DET0578
|
Detection Strategy for Cloud Storage Object Discovery
|
Enterprise
|
|
DET0505
|
Detection Strategy for Command Obfuscation
|
Enterprise
|
|
DET0501
|
Detection Strategy for Compile After Delivery - Source Code to Executable Transformation
|
Enterprise
|
|
DET0281
|
Detection Strategy for Compressed Payload Creation and Execution
|
Enterprise
|
|
DET0065
|
Detection Strategy for Container Administration Command Abuse
|
Enterprise
|
|
DET0490
|
Detection Strategy for Container and Resource Discovery
|
Enterprise
|
|
DET0349
|
Detection Strategy for Content Injection
|
Enterprise
|
|
DET0108
|
Detection Strategy for Data Encoding in C2 Channels
|
Enterprise
|
|
DET0592
|
Detection Strategy for Data from Configuration Repository on Network Devices
|
Enterprise
|
|
DET0410
|
Detection Strategy for Data from Network Shared Drive
|
Enterprise
|
|
DET0059
|
Detection Strategy for Data Manipulation
|
Enterprise
|
|
DET0213
|
Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration
|
Enterprise
|
|
DET0371
|
Detection Strategy for Debugger Evasion (T1622)
|
Enterprise
|
|
DET0579
|
Detection Strategy for Device Driver Discovery
|
Enterprise
|
|
DET0424
|
Detection Strategy for Disable or Modify Cloud Firewall
|
Enterprise
|
|
DET0289
|
Detection Strategy for Disable or Modify Cloud Logs
|
Enterprise
|
|
DET0062
|
Detection Strategy for Disable or Modify Linux Audit System
|
Enterprise
|
|
DET0316
|
Detection Strategy for Disk Content Wipe via Direct Access and Overwrite
|
Enterprise
|
|
DET0297
|
Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite
|
Enterprise
|
|
DET0137
|
Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands
|
Enterprise
|
|
DET0366
|
Detection Strategy for Double File Extension Masquerading
|
Enterprise
|
|
DET0569
|
Detection Strategy for Downgrade System Image on Network Devices
|
Enterprise
|
|
DET0091
|
Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups
|
Enterprise
|
|
DET0039
|
Detection Strategy for Dynamic Resolution across OS Platforms
|
Enterprise
|
|
DET0262
|
Detection Strategy for Dynamic Resolution through DNS Calculation
|
Enterprise
|
|
DET0419
|
Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.
|
Enterprise
|
|
DET0485
|
Detection Strategy for Dynamic Resolution using Fast Flux DNS
|
Enterprise
|
|
DET0355
|
Detection Strategy for Email Bombing
|
Enterprise
|
|
DET0192
|
Detection Strategy for Email Hiding Rules
|
Enterprise
|
|
DET0431
|
Detection Strategy for Email Spoofing
|
Enterprise
|
|
DET0214
|
Detection Strategy for Embedded Payloads
|
Enterprise
|
|
DET0273
|
Detection Strategy for Encrypted Channel across OS Platforms
|
Enterprise
|
|
DET0543
|
Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms
|
Enterprise
|
|
DET0143
|
Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms
|
Enterprise
|
|
DET0304
|
Detection Strategy for Endpoint DoS via Application or System Exploitation
|
Enterprise
|
|
DET0173
|
Detection Strategy for Endpoint DoS via Service Exhaustion Flood
|
Enterprise
|
|
DET0219
|
Detection Strategy for Escape to Host
|
Enterprise
|
|
DET0232
|
Detection Strategy for ESXi Administration Command
|
Enterprise
|
|
DET0558
|
Detection Strategy for ESXi Hypervisor CLI Abuse
|
Enterprise
|
|
DET0555
|
Detection Strategy for Event Triggered Execution via emond on macOS
|
Enterprise
|
|
DET0369
|
Detection Strategy for Event Triggered Execution via Trap (T1546.005)
|
Enterprise
|
|
DET0557
|
Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows)
|
Enterprise
|
|
DET0015
|
Detection Strategy for Exclusive Control
|
Enterprise
|
|
DET0348
|
Detection Strategy for Exfiltration Over C2 Channel
|
Enterprise
|
|
DET0548
|
Detection Strategy for Exfiltration Over Web Service
|
Enterprise
|
|
DET0153
|
Detection Strategy for Exfiltration Over Webhook
|
Enterprise
|
|
DET0570
|
Detection Strategy for Exfiltration to Cloud Storage
|
Enterprise
|
|
DET0318
|
Detection Strategy for Exfiltration to Code Repository
|
Enterprise
|
|
DET0284
|
Detection Strategy for Exfiltration to Text Storage Sites
|
Enterprise
|
|
DET0174
|
Detection Strategy for Exploitation for Credential Access
|
Enterprise
|
|
DET0595
|
Detection Strategy for Exploitation for Defense Evasion
|
Enterprise
|
|
DET0514
|
Detection Strategy for Exploitation for Privilege Escalation
|
Enterprise
|
|
DET0406
|
Detection Strategy for Extended Attributes Abuse
|
Enterprise
|
|
DET0217
|
Detection Strategy for Extra Window Memory (EWM) Injection on Windows
|
Enterprise
|
|
DET0150
|
Detection Strategy for File Creation or Modification of Boot Files
|
Enterprise
|
|
DET0051
|
Detection Strategy for File/Path Exclusions
|
Enterprise
|
|
DET0344
|
Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory
|
Enterprise
|
|
DET0495
|
Detection Strategy for Financial Theft
|
Enterprise
|
|
DET0148
|
Detection Strategy for Forged SAML Tokens
|
Enterprise
|
|
DET0171
|
Detection Strategy for Forged Web Cookies
|
Enterprise
|
|
DET0260
|
Detection Strategy for Forged Web Credentials
|
Enterprise
|
|
DET0055
|
Detection strategy for Group Policy Discovery on Windows
|
Enterprise
|
|
DET0502
|
Detection Strategy for Hidden Artifacts Across Platforms
|
Enterprise
|
|
DET0461
|
Detection Strategy for Hidden File System Abuse
|
Enterprise
|
|
DET0032
|
Detection Strategy for Hidden Files and Directories
|
Enterprise
|
|
DET0353
|
Detection Strategy for Hidden User Accounts
|
Enterprise
|
|
DET0321
|
Detection Strategy for Hidden Virtual Instance Execution
|
Enterprise
|
|
DET0128
|
Detection Strategy for Hidden Windows
|
Enterprise
|
|
DET0411
|
Detection Strategy for Hide Infrastructure
|
Enterprise
|
|
DET0218
|
Detection Strategy for Hijack Execution Flow across OS platforms.
|
Enterprise
|
|
DET0201
|
Detection Strategy for Hijack Execution Flow for DLLs
|
Enterprise
|
|
DET0064
|
Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path
|
Enterprise
|
|
DET0427
|
Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.
|
Enterprise
|
|
DET0436
|
Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.
|
Enterprise
|
|
DET0517
|
Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows.
|
Enterprise
|
|
DET0577
|
Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows.
|
Enterprise
|
|
DET0038
|
Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness
|
Enterprise
|
|
DET0004
|
Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.
|
Enterprise
|
|
DET0564
|
Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking
|
Enterprise
|
|
DET0479
|
Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.
|
Enterprise
|
|
DET0152
|
Detection Strategy for Hijack Execution Flow: Dylib Hijacking
|
Enterprise
|
|
DET0435
|
Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking
|
Enterprise
|
|
DET0313
|
Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop
|
Enterprise
|
|
DET0422
|
Detection Strategy for IFEO Injection on Windows
|
Enterprise
|
|
DET0067
|
Detection Strategy for Ignore Process Interrupts
|
Enterprise
|
|
DET0317
|
Detection Strategy for Impair Defenses Across Platforms
|
Enterprise
|
|
DET0239
|
Detection Strategy for Impair Defenses Indicator Blocking
|
Enterprise
|
|
DET0563
|
Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms.
|
Enterprise
|
|
DET0286
|
Detection Strategy for Impersonation
|
Enterprise
|
|
DET0189
|
Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification
|
Enterprise
|
|
DET0568
|
Detection Strategy for Input Injection
|
Enterprise
|
|
DET0322
|
Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns
|
Enterprise
|
|
DET0450
|
Detection Strategy for Kernel Modules and Extensions Autostart Execution
|
Enterprise
|
|
DET0183
|
Detection Strategy for Lateral Tool Transfer across OS platforms
|
Enterprise
|
|
DET0401
|
Detection Strategy for Launch Daemon Creation or Modification (macOS)
|
Enterprise
|
|
DET0216
|
Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS
|
Enterprise
|
|
DET0331
|
Detection Strategy for ListPlanting Injection on Windows
|
Enterprise
|
|
DET0405
|
Detection Strategy for LNK Icon Smuggling
|
Enterprise
|
|
DET0255
|
Detection Strategy for Log Enumeration
|
Enterprise
|
|
DET0244
|
Detection Strategy for Login Hook Persistence on macOS
|
Enterprise
|
|
DET0101
|
Detection Strategy for Lua Scripting Abuse
|
Enterprise
|
|
DET0383
|
Detection Strategy for Masquerading via Account Name Similarity
|
Enterprise
|
|
DET0443
|
Detection Strategy for Masquerading via Breaking Process Trees
|
Enterprise
|
|
DET0226
|
Detection Strategy for Masquerading via File Type Modification
|
Enterprise
|
|
DET0347
|
Detection Strategy for Masquerading via Legitimate Resource Name or Location
|
Enterprise
|
|
DET0246
|
Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying
|
Enterprise
|
|
DET0308
|
Detection Strategy for Modify Cloud Compute Infrastructure
|
Enterprise
|
|
DET0449
|
Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance
|
Enterprise
|
|
DET0423
|
Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot
|
Enterprise
|
|
DET0084
|
Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance
|
Enterprise
|
|
DET0492
|
Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
|
Enterprise
|
|
DET0337
|
Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance
|
Enterprise
|
|
DET0155
|
Detection Strategy for Modify Cloud Resource Hierarchy
|
Enterprise
|
|
DET0170
|
Detection Strategy for Modify System Image on Network Devices
|
Enterprise
|
|
DET0160
|
Detection Strategy for Multi-Factor Authentication Request Generation (T1621)
|
Enterprise
|
|
DET0575
|
Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)
|
Enterprise
|
|
DET0163
|
Detection Strategy for Network Address Translation Traversal
|
Enterprise
|
|
DET0006
|
Detection Strategy for Network Boundary Bridging
|
Enterprise
|
|
DET0233
|
Detection Strategy for Network Device Configuration Dump via Config Repositories
|
Enterprise
|
|
DET0314
|
Detection Strategy for Network Sniffing Across Platforms
|
Enterprise
|
|
DET0227
|
Detection Strategy for Non-Standard Ports
|
Enterprise
|
|
DET0432
|
Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)
|
Enterprise
|
|
DET0553
|
Detection Strategy for Obfuscated Files or Information: Binary Padding
|
Enterprise
|
|
DET0164
|
Detection Strategy for Overwritten Process Arguments Masquerading
|
Enterprise
|
|
DET0469
|
Detection Strategy for Patch System Image on Network Devices
|
Enterprise
|
|
DET0070
|
Detection Strategy for Phishing across platforms.
|
Enterprise
|
|
DET0109
|
Detection Strategy for Plist File Modification (T1647)
|
Enterprise
|
|
DET0533
|
Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows
|
Enterprise
|
|
DET0324
|
Detection Strategy for Polymorphic Code Mutation and Execution
|
Enterprise
|
|
DET0417
|
Detection Strategy for Power Settings Abuse
|
Enterprise
|
|
DET0451
|
Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification
|
Enterprise
|
|
DET0045
|
Detection Strategy for Process Argument Spoofing on Windows
|
Enterprise
|
|
DET0544
|
Detection Strategy for Process Doppelgänging on Windows
|
Enterprise
|
|
DET0382
|
Detection Strategy for Process Hollowing on Windows
|
Enterprise
|
|
DET0538
|
Detection Strategy for Protocol Tunneling accross OS platforms.
|
Enterprise
|
|
DET0203
|
Detection Strategy for Ptrace-Based Process Injection on Linux
|
Enterprise
|
|
DET0408
|
Detection Strategy for Reflection Amplification DoS (T1498.002)
|
Enterprise
|
|
DET0300
|
Detection Strategy for Reflective Code Loading
|
Enterprise
|
|
DET0574
|
Detection Strategy for Remote System Enumeration Behavior
|
Enterprise
|
|
DET0584
|
Detection Strategy for Resource Forking on macOS
|
Enterprise
|
|
DET0156
|
Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs
|
Enterprise
|
|
DET0276
|
Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse
|
Enterprise
|
|
DET0277
|
Detection Strategy for Role Addition to Cloud Accounts
|
Enterprise
|
|
DET0391
|
Detection Strategy for Runtime Data Manipulation.
|
Enterprise
|
|
DET0116
|
Detection Strategy for Safe Mode Boot Abuse
|
Enterprise
|
|
DET0399
|
Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns
|
Enterprise
|
|
DET0374
|
Detection Strategy for Serverless Execution (T1648)
|
Enterprise
|
|
DET0453
|
Detection Strategy for SNMP (MIB Dump) on Network Devices
|
Enterprise
|
|
DET0236
|
Detection Strategy for Spearphishing Attachment across OS Platforms
|
Enterprise
|
|
DET0107
|
Detection Strategy for Spearphishing Links
|
Enterprise
|
|
DET0115
|
Detection Strategy for Spearphishing via a Service across OS Platforms
|
Enterprise
|
|
DET0245
|
Detection Strategy for Spearphishing Voice across OS platforms
|
Enterprise
|
|
DET0181
|
Detection Strategy for SQL Stored Procedures Abuse via T1505.001
|
Enterprise
|
|
DET0126
|
Detection Strategy for SSH Key Injection in Authorized Keys
|
Enterprise
|
|
DET0256
|
Detection Strategy for SSH Session Hijacking
|
Enterprise
|
|
DET0240
|
Detection Strategy for Steal or Forge Authentication Certificates
|
Enterprise
|
|
DET0119
|
Detection Strategy for Steganographic Abuse in File & Script Execution
|
Enterprise
|
|
DET0193
|
Detection Strategy for Stored Data Manipulation across OS Platforms.
|
Enterprise
|
|
DET0019
|
Detection Strategy for Stripped Payloads Across Platforms
|
Enterprise
|
|
DET0442
|
Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking.
|
Enterprise
|
|
DET0056
|
Detection Strategy for Subvert Trust Controls via Install Root Certificate.
|
Enterprise
|
|
DET0510
|
Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior
|
Enterprise
|
|
DET0282
|
Detection Strategy for System Binary Proxy Execution: Regsvr32
|
Enterprise
|
|
DET0565
|
Detection Strategy for System Language Discovery
|
Enterprise
|
|
DET0043
|
Detection Strategy for System Location Discovery
|
Enterprise
|
|
DET0279
|
Detection Strategy for System Services across OS platforms.
|
Enterprise
|
|
DET0421
|
Detection Strategy for System Services Service Execution
|
Enterprise
|
|
DET0265
|
Detection Strategy for System Services: Launchctl
|
Enterprise
|
|
DET0073
|
Detection Strategy for System Services: Systemctl
|
Enterprise
|
|
DET0583
|
Detection Strategy for T1136 - Create Account across platforms
|
Enterprise
|
|
DET0319
|
Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office
|
Enterprise
|
|
DET0475
|
Detection Strategy for T1218.011 Rundll32 Abuse
|
Enterprise
|
|
DET0042
|
Detection Strategy for T1218.012 Verclsid Abuse
|
Enterprise
|
|
DET0046
|
Detection Strategy for T1497 Virtualization/Sandbox Evasion
|
Enterprise
|
|
DET0547
|
Detection Strategy for T1505 - Server Software Component
|
Enterprise
|
|
DET0166
|
Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)
|
Enterprise
|
|
DET0068
|
Detection Strategy for T1505.004 - Malicious IIS Components
|
Enterprise
|
|
DET0212
|
Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)
|
Enterprise
|
|
DET0334
|
Detection Strategy for T1525 – Implant Internal Image
|
Enterprise
|
|
DET0515
|
Detection Strategy for T1528 - Steal Application Access Token
|
Enterprise
|
|
DET0278
|
Detection Strategy for T1542 Pre-OS Boot
|
Enterprise
|
|
DET0099
|
Detection Strategy for T1542.001 Pre-OS Boot: System Firmware
|
Enterprise
|
|
DET0323
|
Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware
|
Enterprise
|
|
DET0175
|
Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit
|
Enterprise
|
|
DET0582
|
Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot
|
Enterprise
|
|
DET0330
|
Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages
|
Enterprise
|
|
DET0375
|
Detection Strategy for T1546.017 - Udev Rules (Linux)
|
Enterprise
|
|
DET0180
|
Detection Strategy for T1547.009 – Shortcut Modification (Windows)
|
Enterprise
|
|
DET0204
|
Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)
|
Enterprise
|
|
DET0121
|
Detection Strategy for T1547.015 – Login Items on macOS
|
Enterprise
|
|
DET0388
|
Detection Strategy for T1548.002 – Bypass User Account Control (UAC)
|
Enterprise
|
|
DET0409
|
Detection Strategy for T1550.002 - Pass the Hash (Windows)
|
Enterprise
|
|
DET0352
|
Detection Strategy for T1550.003 - Pass the Ticket (Windows)
|
Enterprise
|
|
DET0393
|
Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)
|
Enterprise
|
|
DET0467
|
Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing
|
Enterprise
|
|
DET0403
|
Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices
|
Enterprise
|
|
DET0012
|
Detection Strategy for VBA Stomping
|
Enterprise
|
|
DET0448
|
Detection Strategy for VDSO Hijacking on Linux
|
Enterprise
|
|
DET0199
|
Detection Strategy for Virtual Machine Discovery
|
Enterprise
|
|
DET0339
|
Detection Strategy for Weaken Encryption on Network Devices
|
Enterprise
|
|
DET0494
|
Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices
|
Enterprise
|
|
DET0243
|
Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices
|
Enterprise
|
|
DET0058
|
Detection Strategy for Web Service: Dead Drop Resolver
|
Enterprise
|
|
DET0536
|
Detection Strategy for Wi-Fi Networks
|
Enterprise
|
|
DET0254
|
Detection Strategy of Transmitted Data Manipulation
|
Enterprise
|
|
DET0343
|
Direct Network Flood Detection across IaaS, Linux, Windows, and macOS
|
Enterprise
|
|
DET0487
|
Distributed Password Spraying via Authentication Failures Across Multiple Accounts
|
Enterprise
|
|
DET0129
|
Domain Account Enumeration Across Platforms
|
Enterprise
|
|
DET0196
|
Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers
|
Enterprise
|
|
DET0176
|
Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)
|
Enterprise
|
|
DET0476
|
Email Collection via Local Email Access and Auto-Forwarding Behavior
|
Enterprise
|
|
DET0576
|
Email Forwarding Rule Abuse Detection Across Platforms
|
Enterprise
|
|
DET0087
|
Encrypted or Encoded File Payload Detection Strategy
|
Enterprise
|
|
DET0356
|
Endpoint DoS via OS Exhaustion Flood Detection Strategy
|
Enterprise
|
|
DET0208
|
Endpoint Resource Saturation and Crash Pattern Detection Across Platforms
|
Enterprise
|
|
DET0229
|
Enumeration of Global Address Lists via Email Account Discovery
|
Enterprise
|
|
DET0587
|
Enumeration of User or Account Information Across Platforms
|
Enterprise
|
|
DET0474
|
Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy
|
Enterprise
|
|
DET0080
|
Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)
|
Enterprise
|
|
DET0287
|
Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)
|
Enterprise
|
|
DET0118
|
Exploitation of Remote Services – multi-platform lateral movement detection
|
Enterprise
|
|
DET0325
|
External Proxy Behavior via Outbound Relay to Intermediate Infrastructure
|
Enterprise
|
|
DET0167
|
Firmware Modification via Flash Tool or Corrupted Firmware Upload
|
Enterprise
|
|
DET0368
|
Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks
|
Enterprise
|
|
DET0133
|
IDE Tunneling Detection via Process, File, and Network Behaviors
|
Enterprise
|
|
DET0200
|
Indirect Command Execution – Windows utility abuse behavior chain
|
Enterprise
|
|
DET0075
|
Internal Proxy Behavior via Lateral Host-to-Host C2 Relay
|
Enterprise
|
|
DET0054
|
Internal Spearphishing via Trusted Accounts
|
Enterprise
|
|
DET0082
|
Internal Website and System Content Defacement via UI or Messaging Modifications
|
Enterprise
|
|
DET0031
|
Invalid Code Signature Execution Detection via Metadata and Behavioral Context
|
Enterprise
|
|
DET0390
|
Linux Detection Strategy for T1547.013 - XDG Autostart Entries
|
Enterprise
|
|
DET0258
|
Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018)
|
Enterprise
|
|
DET0303
|
Local Account Enumeration Across Host Platforms
|
Enterprise
|
|
DET0188
|
Local Storage Discovery via Drive Enumeration and Filesystem Probing
|
Enterprise
|
|
DET0395
|
macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection
|
Enterprise
|
|
DET0292
|
Masquerading via Space After Filename - Behavioral Detection Strategy
|
Enterprise
|
|
DET0285
|
Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution
|
Enterprise
|
|
DET0530
|
Multi-Event Detection for SMB Admin Share Lateral Movement
|
Enterprise
|
|
DET0327
|
Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity
|
Enterprise
|
|
DET0359
|
Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling
|
Enterprise
|
|
DET0540
|
Multi-Platform Behavioral Detection for Compute Hijacking
|
Enterprise
|
|
DET0484
|
Multi-Platform Cloud Storage Exfiltration Behavior Chain
|
Enterprise
|
|
DET0372
|
Multi-Platform Detection Strategy for T1678 - Delay Execution
|
Enterprise
|
|
DET0562
|
Multi-Platform Execution Guardrails Environmental Validation Detection Strategy
|
Enterprise
|
|
DET0299
|
Multi-Platform File and Directory Permissions Modification Detection Strategy
|
Enterprise
|
|
DET0559
|
Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events
|
Enterprise
|
|
DET0392
|
Multi-Platform Software Discovery Behavior Chain
|
Enterprise
|
|
DET0023
|
Obfuscated Binary Unpacking Detection via Behavioral Patterns
|
Enterprise
|
|
DET0551
|
Password Guessing via Multi-Source Authentication Failure Correlation
|
Enterprise
|
|
DET0161
|
Password Policy Discovery – cross-platform behavior-chain analytics
|
Enterprise
|
|
DET0491
|
Peripheral Device Enumeration via System Utilities and API Calls
|
Enterprise
|
|
DET0302
|
Port-knock → rule/daemon change → first successful connect (T1205.001)
|
Enterprise
|
|
DET0105
|
Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools
|
Enterprise
|
|
DET0358
|
Programmatic and Excessive Access to Confluence Documentation
|
Enterprise
|
|
DET0370
|
Recursive Enumeration of Files and Directories Across Privilege Contexts
|
Enterprise
|
|
DET0542
|
Registry and LSASS Monitoring for Security Support Provider Abuse
|
Enterprise
|
|
DET0259
|
Remote Desktop Software Execution and Beaconing Detection
|
Enterprise
|
|
DET0301
|
Removable Media Execution Chain Detection via File and Process Activity
|
Enterprise
|
|
DET0005
|
Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path
|
Enterprise
|
|
DET0267
|
Resource Hijacking Detection Strategy
|
Enterprise
|
|
DET0527
|
Right-to-Left Override Masquerading Detection via Filename and Execution Context
|
Enterprise
|
|
DET0016
|
Security Software Discovery Across Platforms
|
Enterprise
|
|
DET0110
|
Setuid/Setgid Privilege Abuse Detection (Linux/macOS)
|
Enterprise
|
|
DET0162
|
Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002)
|
Enterprise
|
|
DET0009
|
Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)
|
Enterprise
|
|
DET0310
|
Suspicious Addition to Local or Domain Groups
|
Enterprise
|
|
DET0242
|
Suspicious Database Access and Dump Activity Across Environments (T1213.006)
|
Enterprise
|
|
DET0036
|
Suspicious Device Registration via Entra ID or MFA Platform
|
Enterprise
|
|
DET0572
|
Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes
|
Enterprise
|
|
DET0425
|
Suspicious Use of Web Services for C2
|
Enterprise
|
|
DET0525
|
System Discovery via Native and Remote Utilities
|
Enterprise
|
|
DET0447
|
T1136.001 Detection Strategy - Local Account Creation Across Platforms
|
Enterprise
|
|
DET0003
|
T1136.002 Detection Strategy - Domain Account Creation Across Platforms
|
Enterprise
|
|
DET0534
|
TCC Database Manipulation via Launchctl and Unprotected SIP
|
Enterprise
|
|
DET0566
|
Template Injection Detection - Windows
|
Enterprise
|
|
DET0524
|
Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205
|
Enterprise
|
|
DET0306
|
Unauthorized Network Firewall Rule Modification (T1562.013)
|
Enterprise
|
|
DET0351
|
Unix-like File Permission Manipulation Behavioral Chain Detection Strategy
|
Enterprise
|
|
DET0340
|
User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004
|
Enterprise
|
|
DET0294
|
User Execution – Malicious File via download/open → spawn chain (T1204.002)
|
Enterprise
|
|
DET0248
|
User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)
|
Enterprise
|
|
DET0066
|
User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)
|
Enterprise
|
|
DET0478
|
User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)
|
Enterprise
|
|
DET0252
|
User-Initiated Malicious Library Installation via Package Manager (T1204.005)
|
Enterprise
|
|
DET0168
|
Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS
|
Enterprise
|
|
DET0394
|
Web Shell Detection via Server Behavior and File Execution Chains
|
Enterprise
|
|
DET0481
|
Windows COM Hijacking Detection via Registry and DLL Load Correlation
|
Enterprise
|
|
DET0418
|
Windows DACL Manipulation Behavioral Chain Detection Strategy
|
Enterprise
|
|
DET0026
|
Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence
|
Enterprise
|