| T1053.005 | CAR-2013-01-002 | windows | https://car.mitre.org/analytics/CAR-2013-01-002 | CAR |
| T1053.005 | CAR-2013-04-002 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-04-002 | CAR |
| T1053.005 | CAR-2013-08-001 | windows | https://car.mitre.org/analytics/CAR-2013-08-001 | CAR |
| T1053.005 | CAR-2015-04-002 | windows | https://car.mitre.org/analytics/CAR-2015-04-002 | CAR |
| T1053.005 | CAR-2020-09-001 | windows | https://car.mitre.org/analytics/CAR-2020-09-001 | CAR |
| T1053.005 | 7feb7972-7ac3-11eb-bac8-acde48001122 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml | Splunk |
| T1053.005 | 1297fb80-f42a-4b4a-9c8a-88c066437cf6 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml | Splunk |
| T1053.005 | d5af132c-7c17-439c-9d31-13d55340f36c | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml | Splunk |
| T1053.005 | 1297fb80-f42a-4b4a-9c8a-88c066237cf6 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml | Splunk |
| T1053.005 | 203ef0ea-9bd8-11eb-8201-acde48001122 | windows | https://github.com/splunk/security_content/blob/25a4be5d980d2e98883a840bf075bd575cf8681f/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml | Splunk |
| T1053.005 | 5d9c6eee-988c-11eb-8253-acde48001122 | windows | https://github.com/splunk/security_content/blob/25a4be5d980d2e98883a840bf075bd575cf8681f/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml | Splunk |
| T1053.005 | 523c2684-a101-11eb-916b-acde48001122 | windows | https://github.com/splunk/security_content/blob/503e6acd96c84f6701811029201294a29f1ef21c/detections/endpoint/schedule_task_with_http_command_arguments.yml | Splunk |
| T1053.005 | 523c2684-a101-11eb-916b-acde48001122 | windows | https://github.com/splunk/security_content/blob/25a4be5d980d2e98883a840bf075bd575cf8681f/detections/endpoint/shedule_task_with_http_command_arguments.yml | Splunk |
| T1059.001 | CAR-2014-04-003 | windows | https://car.mitre.org/analytics/CAR-2014-04-003 | CAR |
| T1059.001 | CAR-2014-11-004 | windows | https://car.mitre.org/analytics/CAR-2014-11-004 | CAR |
| T1059.001 | ac7102b4-9e1e-4802-9b4f-17c5524c015c | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml | Sigma |
| T1059.001 | e9f55347-2928-4c06-88e5-1a7f8169942e | windows | https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/win_invoke_obfuscation_via_var%2B%2B.yml | Sigma |
| T1059.001 | 056a7ee1-4853-4e67-86a0-3fd9ceed7555 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml | Sigma |
| T1059.001 | 6c96fc76-0eb1-11eb-adc1-0242ac120002 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_stdin%2B.yml | Sigma |
| T1059.001 | fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_encoded_frombase64string.yml | Sigma |
| T1059.001 | e32d4572-9826-4738-b651-95fa63747e8a | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_powershell_frombase64string.yml | Sigma |
| T1059.001 | e312efd0-35a1-407f-8439-b8d434b438a6 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_encoded_param.yml | Sigma |
| T1059.001 | e1561947-b4e3-4a74-9bdd-83baed21bdb5 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml | Sigma |
| T1059.001 | 88f680b8-070e-402c-ae11-d2914f2257f1 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_encoded_iex.yml | Sigma |
| T1059.001 | a6d67db4-6220-436d-8afc-f3842fe05d43 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_dnscat_execution.yml | Sigma |
| T1059.001 | 9c14c9fa-1a63-4a64-8e57-d19280559490 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml | Sigma |
| T1059.001 | 27aec9c9-dbb0-4939-8422-1742242471d0 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_var%2B.yml | Sigma |
| T1059.001 | 3d304fda-78aa-43ed-975c-d740798a49c1 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_suspicious_invocation_generic.yml | Sigma |
| T1059.001 | b222df08-0e07-11eb-adc1-0242ac120002 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_clip%2B.yml | Sigma |
| T1059.001 | ac20ae82-8758-4f38-958e-b44a3140ca88 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml | Sigma |
| T1059.001 | 36c5146c-d127-4f85-8e21-01bf62355d5a | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml | Sigma |
| T1059.001 | e4b63079-6198-405c-abd7-3fe8b0ce3263 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml | Sigma |
| T1059.001 | 65531a81-a694-4e31-ae04-f8ba5bc33759 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_suspicious_download.yml | Sigma |
| T1059.001 | 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml | Sigma |
| T1059.001 | 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_xor_commandline.yml | Sigma |
| T1059.001 | d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 | windows | https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/process_creation/sysmon_long_powershell_commandline.yml | Sigma |
| T1059.001 | 867613fb-fa60-4497-a017-a82df74a172c | windows | https://github.com/SigmaHQ/sigma/blob/8aabb58eca06cc44ae21ae4d091793d8c5ca6a23/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml | Sigma |
| T1059.001 | eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/powershell/powershell_code_injection.yml | Sigma |
| T1059.001 | 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml | Sigma |
| T1059.001 | db92dd33-a3ad-49cf-8c2c-608c3e30ace0 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml | Sigma |
| T1059.001 | c70e019b-1479-4b65-b0cc-cd0c6093a599 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_exe_calling_ps.yml | Sigma |
| T1059.001 | 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_powershell_download.yml | Sigma |
| T1059.001 | e54f5149-6ba3-49cf-b153-070d24679126 | windows | https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/powershell/powershell_invoke_obfuscation_via_var%2B%2B.yml | Sigma |
| T1059.001 | fe6e002f-f244-4278-9263-20e4b593827f | windows | https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml | Sigma |
| T1059.001 | 243de76f-4725-4f2e-8225-a8a69b15ad61 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_create_local_user.yml | Sigma |
| T1059.001 | 1a93b7ea-7af7-11eb-adb5-acde48001122 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/any_powershell_downloadfile.yml | Splunk |
| T1059.001 | 4d015ef2-7adf-11eb-95da-acde48001122 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/any_powershell_downloadstring.yml | Splunk |
| T1059.001 | a0bdd2f6-c2ff-11eb-b918-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/detect_sharphound_command_line_arguments.yml | Splunk |
| T1059.001 | dd04b29a-beed-11eb-87bc-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/detect_sharphound_usage.yml | Splunk |
| T1059.001 | 42b4b438-beed-11eb-ba1d-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/detect_sharphound_file_modifications.yml | Splunk |
| T1059.001 | cde75cf6-3c7a-4dd6-af01-27cdb4511fd4 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml | Splunk |
| T1059.001 | c2590137-0b08-4985-9ec5-6ae23d92f63d | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml | Splunk |
| T1059.001 | 9be56c82-b1cc-4318-87eb-d138afaaca39 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml | Splunk |
| T1059.001 | ee18ed37-0802-4268-9435-b3b91aaa18db | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/malicious_powershell_process___connect_to_internet_with_hidden_window.yml | Splunk |
| T1059.001 | 1a382c6c-7c2e-11eb-ac69-acde48001122 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/nishang_powershelltcponeline.yml | Splunk |
| T1059.001 | 0d718b52-c9f1-11eb-bc61-acde48001122 | windows | https://github.com/splunk/security_content/blob/d67359635faea7a0221e9361bf73b4cf544642e0/detections/endpoint/powershell_processing_stream_of_data.yml | Splunk |
| T1059.001 | 26f02e96-c300-11eb-b611-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/detect_azurehound_command_line_arguments.yml | Splunk |
| T1059.001 | 1c34549e-c31b-11eb-996b-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/detect_azurehound_file_modifications.yml | Splunk |
| T1059.001 | 29e307ba-40af-4ab2-91b2-3c6b392bbba0 | windows | https://github.com/splunk/security_content/blob/2c1bc1664095dd4d1c09e06328cccb9760422fcc/detections/endpoint/detect_mimikatz_using_loaded_images.yml | Splunk |
| T1059.003 | CAR-2013-02-003 | windows | https://car.mitre.org/analytics/CAR-2013-02-003 | CAR |
| T1059.003 | CAR-2014-11-002 | windows | https://car.mitre.org/analytics/CAR-2014-11-002 | CAR |
| T1059.003 | 95022b85-ff2a-49fa-939a-d7b8f56eeb9b | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_redmimicry_winnti_proc.yml | Sigma |
| T1059.003 | 087790e3-3287-436c-bccf-cbd0184a7db1 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_commandline_path_traversal.yml | Sigma |
| T1059.003 | f0b70adb-0075-43b0-9745-e82a1c608fcc | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_apt_zxshell.yml | Sigma |
| T1059.003 | e507feb7-5f73-4ef6-a970-91bb6f6d744f | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_apt_elise.yml | Sigma |
| T1059.003 | ba778144-5e3d-40cf-8af9-e28fb1df1e20 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_apt_sofacy.yml | Sigma |
| T1059.003 | 2b30fa36-3a18-402f-a22d-bf4ce2189f35 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_apt_babyshark.yml | Sigma |
| T1059.003 | 5cddf373-ef00-4112-ad72-960ac29bac34 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_hack_koadic.yml | Sigma |
| T1059.003 | 1ac8666b-046f-4201-8aba-1951aaec03a3 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cmd_http_appdata.yml | Sigma |
| T1059.003 | 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df | cloud | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/cloud/aws_ec2_startup_script_change.yml | Sigma |
| T1059.003 | 52cad028-0ff0-4854-8f67-d25dfcbc78b4 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml | Sigma |
| T1059.003 | 023394c4-29d5-46ab-92b8-6a534c6f447b | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_hwp_exploits.yml | Sigma |
| T1059.003 | 1c373b6d-76ce-4553-997d-8c1da9a6b5f5 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_exploit_cve_2019_1378.yml | Sigma |
| T1059.003 | 846b866e-2a57-46ee-8e16-85fa92759be7 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_exploit_cve_2020_10189.yml | Sigma |
| T1059.003 | 058f4380-962d-40a5-afce-50207d36d7e2 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_crackmapexec_execution.yml | Sigma |
| T1059.003 | 401e5d00-b944-11ea-8f9a-00163ecd60ae | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml | Sigma |
| T1059.003 | dcfd6b40-42f9-469d-a433-2e53f7486664 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml | Splunk |
| T1059.003 | b89919ed-fe5f-492c-b139-95dbb162039e | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml | Splunk |
| T1059.003 | 538d0152-7aaa-11eb-beaa-acde48001122 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/ryuk_wake_on_lan_command.yml | Splunk |
| T1059.003 | eb277ba0-b96b-11eb-b00e-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/cmd_echo_pipe___escalation.yml | Splunk |
| T1059.005 | CAR-2013-04-002 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-04-002 | CAR |
| T1059.005 | 966e4016-627f-44f7-8341-f394905c361f | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_apt_cloudhopper.yml | Sigma |
| T1059.005 | 1e33157c-53b1-41ad-bbcc-780b80b58288 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml | Sigma |
| T1059.005 | aaf46cdc-934e-4284-b329-34aa701e3771 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_bginfo.yml | Sigma |
| T1059.005 | b730a276-6b63-41b8-bcf8-55930c8fc6ee | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml | Sigma |
| T1059.005 | edc2f8ae-2412-4dfd-b9d5-0c57727e70be | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml | Sigma |
| T1059.005 | 2e4e488a-6164-4811-9ea1-f960c7359c40 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/create_remote_thread/sysmon_cactustorch.yml | Sigma |
| T1059.005 | 8d63dadf-b91b-4187-87b6-34a1114577ea | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_bypass_squiblytwo.yml | Sigma |
| T1059.005 | 4fcac6eb-0287-4090-8eea-2602e4c20040 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_qbot.yml | Sigma |
| T1059.005 | cea72823-df4d-4567-950c-0b579eaf0846 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_script_dropper.yml | Sigma |
| T1059.005 | 25676e10-2121-446e-80a4-71ff8506af47 | web | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/web/win_powershell_snapins_hafnium.yml | Sigma |
| T1059.005 | fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml | Sigma |
| T1059.005 | 5cddf373-ef00-4112-ad72-960ac29bac34 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_hack_koadic.yml | Sigma |
| T1059.005 | 52cad028-0ff0-4854-8f67-d25dfcbc78b4 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml | Sigma |
| T1059.005 | 3a6586ad-127a-4d3b-a677-1e6eacdf8fde | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_shell_spawn_susp_program.yml | Sigma |
| T1059.005 | 1fac1481-2dbc-48b2-9096-753c49b4ec71 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mal_adwind.yml | Sigma |
| T1059.005 | 401e5d00-b944-11ea-8f9a-00163ecd60ae | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml | Sigma |
| T1059.006 | 9637e8a5-7131-4f7f-bdc7-2b05d8670c43 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_characteristics.yml | Sigma |
| T1059.006 | 401e5d00-b944-11ea-8f9a-00163ecd60ae | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml | Sigma |
| T1078.002 | CAR-2013-02-008 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-02-008 | CAR |
| T1078.002 | CAR-2013-02-012 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-02-012 | CAR |
| T1078.002 | CAR-2013-05-003 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-05-003 | CAR |
| T1078.002 | CAR-2013-05-005 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-05-005 | CAR |
| T1078.002 | CAR-2013-10-001 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-10-001 | CAR |
| T1078.002 | 0f63e1ef-1eb9-4226-9d54-8927ca08520a | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_admin_rdp_login.yml | Sigma |
| T1078.002 | c026e3dd-7e18-4abb-8f41-929e836efe74 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml | Splunk |
| T1078.002 | 95a7f9a5-6096-437e-a19e-86f42ac609bd | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/detect_excessive_user_account_lockouts.yml | Splunk |
| T1078.003 | CAR-2013-02-008 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-02-008 | CAR |
| T1078.003 | CAR-2013-02-012 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-02-012 | CAR |
| T1078.003 | CAR-2013-05-003 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-05-003 | CAR |
| T1078.003 | CAR-2013-05-005 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-05-005 | CAR |
| T1078.003 | CAR-2013-10-001 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-10-001 | CAR |
| T1078.003 | 0f63e1ef-1eb9-4226-9d54-8927ca08520a | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_admin_rdp_login.yml | Sigma |
| T1078.003 | cc2fd2d0-ba3a-4939-b87f-2901764ed036 | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/persistence_enable_root_account.toml | Elastic |
| T1078.003 | 41b638a1-8ab6-4f8e-86d9-466317ef2db5 | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/persistence_account_creation_hide_at_logon.toml | Elastic |
| T1078.003 | 565c2b44-7a21-4818-955f-8d4737967d2e | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/privilege_escalation_local_user_added_to_admin.toml | Elastic |
| T1078.003 | 95a7f9a5-6096-437e-a19e-86f42ac609bd | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/detect_excessive_user_account_lockouts.yml | Splunk |
| T1091 | f69a87ea-955e-4fb4-adb2-bb9fd6685632 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_external_device.yml | Sigma |
| T1095 | f7158a64-6204-4d6d-868a-6e6378b467e0 | linux | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml | Sigma |
| T1095 | e9c102de-4d43-42a7-b1c8-8062ea297419 | experimental | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/experimental/network/detect_large_outbound_icmp_packets.yml | Splunk |
| T1105 | CAR-2013-07-001 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-07-001 | CAR |
| T1105 | CAR-2021-05-005 | windows | https://car.mitre.org/analytics/CAR-2021-05-005 | CAR |
| T1105 | CAR-2021-05-006 | windows | https://car.mitre.org/analytics/CAR-2021-05-006 | CAR |
| T1105 | CAR-2021-05-007 | windows | https://car.mitre.org/analytics/CAR-2021-05-007 | CAR |
| T1105 | 7a14080d-a048-4de8-ae58-604ce58a795b | linux | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/linux/lnx_file_copy.yml | Sigma |
| T1105 | d7825193-b70a-48a4-b992-8b5b3015cc11 | windows | https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml | Sigma |
| T1105 | e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_win_binary_susp_com.yml | Sigma |
| T1105 | f7b5f842-a6af-4da5-9e95-e32478f3cd2f | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msiexec_web_install.yml | Sigma |
| T1105 | 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 | network | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/cisco/aaa/cisco_cli_moving_data.yml | Sigma |
| T1105 | 47e0852a-cf81-4494-a8e6-31864f8c86ed | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_apt_pandemic.yml | Sigma |
| T1105 | 21dd6d38-2b18-4453-9404-a0fe4a0cc288 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_curl_start_combo.yml | Sigma |
| T1105 | af491bca-e752-4b44-9c86-df5680533dbc | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml | Sigma |
| T1105 | 0c79148b-118e-472b-bdb7-9b57b444cc19 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msoffice.yml | Sigma |
| T1105 | 46123129-1024-423e-9fae-43af4a0fa9a5 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_mpcmdrun_download.yml | Sigma |
| T1105 | e218595b-bbe7-4ee5-8a96-f32a24ad3468 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_curl_download.yml | Sigma |
| T1105 | 8f70ac5f-1f6f-4f8e-b454-db19561216c5 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ps_downloadfile.yml | Sigma |
| T1105 | aac2fd97-bcba-491b-ad66-a6edf89c71bf | network | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_http_executable_download_from_webdav.yml | Sigma |
| T1105 | eee00933-a761-4cd0-be70-c42fe91731e7 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml | Sigma |
| T1105 | bb58aa4a-b80b-415a-a2c0-2f65a4c81009 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml | Sigma |
| T1105 | 635dbb88-67b3-4b41-9ea5-a3af2dd88153 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_win_binary_github_com.yml | Sigma |
| T1105 | fc4f4817-0c53-4683-a4ee-b17a64bc1039 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml | Sigma |
| T1105 | 1ac8666b-046f-4201-8aba-1951aaec03a3 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cmd_http_appdata.yml | Sigma |
| T1105 | 855bc8b5-2ae8-402e-a9ed-b889e6df1900 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_copy_lateral_movement.yml | Sigma |
| T1105 | e011a729-98a6-4139-b5c4-bf6f6dd8239a | windows | https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml | Sigma |
| T1105 | 3711eee4-a808-4849-8a14-faf733da3612 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_apt_greenbug_may20.yml | Sigma |
| T1105 | 195c1119-ef07-4909-bb12-e66f5e07bf3c | proxy | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/proxy/proxy_download_susp_dyndns.yml | Sigma |
| T1105 | b25a7df2-120a-4db2-bd3f-3e4b86b24bee | windows | https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_teamviewer_remote_file_copy.toml | Elastic |
| T1105 | 1d276579-3380-4095-ad38-e596a01bc64f | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/command_and_control_remote_file_copy_scripts.toml | Elastic |
| T1105 | 15c0b7a7-9c34-4869-b25b-fa6518414899 | windows | https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml | Elastic |
| T1105 | 3838e0e3-1850-4850-a411-2e8c5ba40ba8 | windows | https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml | Elastic |
| T1105 | c6453e73-90eb-4fe7-a98c-cde7bbfc504a | windows | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml | Elastic |
| T1105 | 33f306e8-417c-411b-965c-c2812d6d3f4d | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/command_and_control_remote_file_copy_powershell.toml | Elastic |
| T1105 | 89f9a4b0-9f8f-4ee0-8823-c4751a6d6696 | windows | https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_command_prompt_connecting_to_the_internet.toml | Elastic |
| T1105 | 47f76567-d58a-4fed-b32b-21f571e28910 | mac | https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml | Elastic |
| T1105 | ff013cb4-274d-434a-96bb-fe15ddd3ae92 | network | https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/network/command_and_control_download_rar_powershell_from_internet.toml | Elastic |
| T1105 | 415b4306-8bfb-11eb-85c4-acde48001122 | windows | https://github.com/splunk/security_content/blob/2c1bc1664095dd4d1c09e06328cccb9760422fcc/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml | Splunk |
| T1105 | 801ad9e4-8bfb-11eb-8b31-acde48001122 | windows | https://github.com/splunk/security_content/blob/2c1bc1664095dd4d1c09e06328cccb9760422fcc/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml | Splunk |
| T1105 | 80630ff4-8e4c-11eb-aab5-acde48001122 | windows | https://github.com/splunk/security_content/blob/2c1bc1664095dd4d1c09e06328cccb9760422fcc/detections/endpoint/bitsadmin_download_file.yml | Splunk |
| T1105 | 6925fe72-a6d5-11eb-9e17-acde48001122 | windows | https://github.com/splunk/security_content/blob/1aeb0a9f6af992bff32ee349ebe4627fb14253ab/detections/endpoint/office_product_spawning_certutil.yml | Splunk |
| T1105 | 3f613dc0-21f2-4063-93b1-5d3c15eef22f | experimental | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/experimental/endpoint/suspicious_curl_network_connection.yml | Splunk |
| T1105 | 58194e28-ae5e-11eb-8912-acde48001122 | windows | https://github.com/splunk/security_content/blob/2d61b8e67541807f57d14e7696205219c024cd9d/detections/endpoint/download_files_using_telegram.yml | Splunk |
| T1106 | 95022b85-ff2a-49fa-939a-d7b8f56eeb9b | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_redmimicry_winnti_proc.yml | Sigma |
| T1106 | b5c7395f-e501-4a08-94d4-57fe7a9da9d2 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cdb.yml | Sigma |
| T1106 | 03d83090-8cba-44a0-b02f-0b756a050306 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_accessing_win_api.yml | Sigma |
| T1106 | 93b22c0a-06a0-4131-b830-b10d5e166ff4 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml | Elastic |
| T1106 | aaf3adf1-73e1-4477-b4ee-3771898964f1 | windows | https://github.com/splunk/security_content/blob/fc82334017f5005417bf4541fbcf28007e27761a/detections/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.yml | Splunk |
| T1106 | 0e910e5b-309d-4bc3-8af2-0030c02aa353 | windows | https://github.com/splunk/security_content/blob/fc82334017f5005417bf4541fbcf28007e27761a/detections/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.yml | Splunk |
| T1107 | 9703792d-fd9a-456d-a672-ff92efe4806a | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_susp_backup_delete.yml | Sigma |
| T1107 | 71d65515-c436-43c0-841b-236b1f32c21e | network | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/cisco/aaa/cisco_cli_file_deletion.yml | Sigma |
| T1107 | 39a80702-d7ca-4a83-b776-525b1f86a36d | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_susp_sdelete.yml | Sigma |
| T1110.001 | 7f398cfb-918d-41f4-8db8-2e2474e02222 | experimental | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/experimental/cloud/high_number_of_login_failures_from_a_single_source.yml | Splunk |
| T1112 | CAR-2013-01-002 | windows | https://car.mitre.org/analytics/CAR-2013-01-002 | CAR |
| T1112 | CAR-2013-03-001 | windows | https://car.mitre.org/analytics/CAR-2013-03-001 | CAR |
| T1112 | CAR-2013-04-002 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-04-002 | CAR |
| T1112 | CAR-2014-11-005 | windows | https://car.mitre.org/analytics/CAR-2014-11-005 | CAR |
| T1112 | CAR-2020-05-003 | windows | https://car.mitre.org/analytics/CAR-2020-05-003 | CAR |
| T1112 | 5b175490-b652-4b02-b1de-5b5b4083c5f8 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml | Sigma |
| T1112 | a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd | windows | https://github.com/SigmaHQ/sigma/blob/6d2acb166070541925636d1d1273e46020e38387/rules/windows/registry_event/sysmon_reg_office_security.yml | Sigma |
| T1112 | 21f17060-b282-4249-ade0-589ea3591558 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/malware/win_mal_ursnif.yml | Sigma |
| T1112 | f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/malware/mal_azorult_reg.yml | Sigma |
| T1112 | 171b67e1-74b4-460e-8d55-b331f3e32d67 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml | Sigma |
| T1112 | 487bb375-12ef-41f6-baae-c6a1572b4dd1 | windows | https://github.com/SigmaHQ/sigma/blob/ae06ebcae08863b72960e826ea524c21dfa793cb/rules/windows/registry_event/win_outlook_registry_todaypage.yml | Sigma |
| T1112 | d6a9b252-c666-4de6-8806-5561bbbd3bdc | windows | https://github.com/SigmaHQ/sigma/blob/503df469687fe4d14d2119a95723485d079ec0d9/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml | Sigma |
| T1112 | 7ec912f2-5175-4868-b811-ec13ad0f8567 | windows | https://github.com/SigmaHQ/sigma/blob/6d2acb166070541925636d1d1273e46020e38387/rules/windows/registry_event/sysmon_cve-2020-1048.yml | Sigma |
| T1112 | c74d7efc-8826-45d9-b8bb-f04fac9e4eff | windows | https://github.com/SigmaHQ/sigma/blob/6d2acb166070541925636d1d1273e46020e38387/rules/windows/registry_event/sysmon_runonce_persistence.yml | Sigma |
| T1112 | 5118765f-6657-4ddb-a487-d7bd673abbf1 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/malware/win_mal_flowcloud.yml | Sigma |
| T1112 | 198effb6-6c98-4d0c-9ea3-451fa143c45c | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runonce_execution.yml | Sigma |
| T1112 | 1a2d6c47-75b0-45bd-b133-2c0be75349fd | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml | Sigma |
| T1112 | b0524451-19af-4efa-a46f-562a977f792e | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_shimcache_flush.yml | Sigma |
| T1112 | 68fcba0d-73a5-475e-a915-e8b4c576827e | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml | Sigma |
| T1112 | 0b80ade5-6997-4b1d-99a1-71701778ea61 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_regedit_import_keys_ads.yml | Sigma |
| T1112 | ddd171b5-2cc6-4975-9e78-f0eccd08cc76 | windows | https://github.com/SigmaHQ/sigma/blob/ae06ebcae08863b72960e826ea524c21dfa793cb/rules/windows/registry_event/win_outlook_registry_webview.yml | Sigma |
| T1112 | 41904ebe-d56c-4904-b9ad-7a77bdf154b3 | windows | https://github.com/SigmaHQ/sigma/blob/8aabb58eca06cc44ae21ae4d091793d8c5ca6a23/rules/windows/registry_event/sysmon_rdp_registry_modification.yml | Sigma |
| T1112 | 77946e79-97f1-45a2-84b4-f37b5c0d8682 | windows | https://github.com/SigmaHQ/sigma/blob/5e62cc2094692aa241173a5f7caa362730c24e95/rules/windows/process_creation/win_regini_ads.yml | Sigma |
| T1112 | c3198a27-23a0-4c2c-af19-e5328d49680e | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/malware/win_mal_blue_mockingbird.yml | Sigma |
| T1112 | 73bba97f-a82d-42ce-b315-9182e76c57b1 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_regedit_import_keys.yml | Sigma |
| T1112 | 5f60740a-f57b-4e76-82a1-15b6ff2cb134 | windows | https://github.com/SigmaHQ/sigma/blob/5e62cc2094692aa241173a5f7caa362730c24e95/rules/windows/process_creation/win_regini.yml | Sigma |
| T1112 | 9d3436ef-9476-4c43-acca-90ce06bdf33a | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml | Sigma |
| T1112 | 96f697b0-b499-4e5d-9908-a67bec11cdb6 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml | Sigma |
| T1112 | 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml | Sigma |
| T1112 | 919f2ef0-be2d-4a7a-b635-eb2b41fde044 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml | Sigma |
| T1112 | d67572a0-e2ec-45d6-b8db-c100d14b8ef2 | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/builtin/win_net_ntlm_downgrade.yml | Sigma |
| T1112 | e61e8a88-59a9-451c-874e-70fcc9740d67 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml | Sigma |
| T1112 | 8f02c935-effe-45b3-8fc9-ef8696a9e41d | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_non_priv_reg_or_ps.yml | Sigma |
| T1112 | b7b19cb6-9b32-4fc4-a108-73f19acfe262 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_vboxdrvInst.yml | Sigma |
| T1112 | 4ac5fc44-a601-4c06-955b-309df8c4e9d4 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml | Sigma |
| T1112 | 54902e45-3467-49a4-8abc-529f2c8cfb80 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/persistence_registry_uncommon.toml | Elastic |
| T1112 | a6b3ab4e-dd77-4213-95fa-fc94701995e0 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/suspicious_reg_exe_process.yml | Splunk |
| T1112 | e3d3f57a-c381-11eb-9e35-acde48001122 | windows | https://github.com/splunk/security_content/blob/67de89544171c73547393ff80f65f744a5d5db0f/detections/endpoint/revil_registry_entry.yml | Splunk |
| T1112 | 909f8fd8-7ac8-11eb-a1f3-acde48001122 | windows | https://github.com/splunk/security_content/blob/5c22609da7571bb08495cf84c86acef383250bb4/detections/endpoint/fodhelper_uac_bypass.yml | Splunk |
| T1113 | 0877ed01-da46-4c49-8476-d49cdd80dfa7 | linux | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/linux/macos_screencapture.yml | Sigma |
| T1113 | 2158f96f-43c2-43cb-952a-ab4580f32382 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml | Sigma |
| T1113 | 666ecfc7-229d-42b8-821e-1a8f8cb7057c | windows | https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/image_load/sysmon_susp_system_drawing_load.yml | Sigma |
| T1113 | 01fc7d91-eb0c-478e-8633-e4fa4904463a | windows | https://github.com/splunk/security_content/blob/fc82334017f5005417bf4541fbcf28007e27761a/detections/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.yml | Splunk |
| T1120 | 0 | | | |
| T1129 | 0 | | | |
| T1133 | f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_susp_failed_logon_source.yml | Sigma |
| T1134 | 843544a7-56e0-4dcc-a44f-5cc266dd97d6 | windows | https://github.com/SigmaHQ/sigma/blob/a30391f3b4965e5beefa14fe264d7196881b115f/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | Sigma |
| T1134 | 15619216-e993-4721-b590-4c520615a67d | windows | https://github.com/SigmaHQ/sigma/blob/a30391f3b4965e5beefa14fe264d7196881b115f/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | Sigma |
| T1134 | 6c5808ee-85a2-4e56-8137-72e5876a5096 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml | Sigma |
| T1134 | 2632954e-db1c-49cb-9936-67d1ef1d17d2 | windows | https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_susp_add_sid_history.yml | Sigma |
| T1135 | 0 | | | |
| T1140 | CAR-2021-05-009 | windows | https://car.mitre.org/analytics/CAR-2021-05-009 | CAR |
| T1189 | 0 | | | |
| T1190 | 0 | | | |
| T1193 | 0 | | | |
| T1199 | 0 | | | |
| T1204.002 | CAR-2021-05-002 | windows | https://car.mitre.org/analytics/CAR-2021-05-002 | CAR |
| T1211 | 0 | | | |
| T1212 | 0 | | | |
| T1218.001 | CAR-2020-11-009 | windows | https://car.mitre.org/analytics/CAR-2020-11-009 | CAR |
| T1218.005 | 0 | | | |
| T1218.007 | 0 | | | |
| T1218.010 | CAR-2019-04-002 | windows | https://car.mitre.org/analytics/CAR-2019-04-002 | CAR |
| T1218.010 | CAR-2019-04-003 | windows | https://car.mitre.org/analytics/CAR-2019-04-003 | CAR |
| T1218.011 | CAR-2014-03-006 | windows | https://car.mitre.org/analytics/CAR-2014-03-006 | CAR |
| T1222.001 | CAR-2019-07-001 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2019-07-001 | CAR |
| T1482 | 0 | | | |
| T1486 | 0 | | | |
| T1489 | 0 | | | |
| T1490 | CAR-2020-04-001 | windows | https://car.mitre.org/analytics/CAR-2020-04-001 | CAR |
| T1490 | CAR-2021-01-009 | windows | https://car.mitre.org/analytics/CAR-2021-01-009 | CAR |
| T1490 | CAR-2021-05-003 | windows | https://car.mitre.org/analytics/CAR-2021-05-003 | CAR |
| T1497 | 0 | | | |
| T1518 | CAR-2013-04-002 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-04-002 | CAR |
| T1543.003 | CAR-2013-01-002 | windows | https://car.mitre.org/analytics/CAR-2013-01-002 | CAR |
| T1543.003 | CAR-2013-04-002 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-04-002 | CAR |
| T1543.003 | CAR-2013-09-005 | windows | https://car.mitre.org/analytics/CAR-2013-09-005 | CAR |
| T1543.003 | CAR-2014-02-001 | windows | https://car.mitre.org/analytics/CAR-2014-02-001 | CAR |
| T1543.003 | CAR-2014-03-005 | windows | https://car.mitre.org/analytics/CAR-2014-03-005 | CAR |
| T1543.003 | CAR-2014-05-002 | windows | https://car.mitre.org/analytics/CAR-2014-05-002 | CAR |
| T1547.001 | CAR-2013-01-002 | windows | https://car.mitre.org/analytics/CAR-2013-01-002 | CAR |
| T1547.001 | CAR-2013-03-001 | windows | https://car.mitre.org/analytics/CAR-2013-03-001 | CAR |
| T1547.001 | CAR-2020-05-003 | windows | https://car.mitre.org/analytics/CAR-2020-05-003 | CAR |
| T1548.002 | CAR-2013-10-002 | windows | https://car.mitre.org/analytics/CAR-2013-10-002 | CAR |
| T1548.002 | CAR-2019-04-001 | windows | https://car.mitre.org/analytics/CAR-2019-04-001 | CAR |
| T1548.002 | CAR-2021-01-008 | windows | https://car.mitre.org/analytics/CAR-2021-01-008 | CAR |
| T1552.001 | CAR-2020-09-004 | windows | https://car.mitre.org/analytics/CAR-2020-09-004 | CAR |
| T1552.001 | 792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/azure/credential_access_key_vault_modified.toml | Elastic |
| T1552.001 | 6b84d470-9036-4cc0-a27c-6d90bbfe81ab | linux | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/linux/credential_access_collection_sensitive_files.toml | Elastic |
| T1553.002 | 56557cde-d923-4b88-adee-c61b3f3b5dc3 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_cve_2020_0601.toml | Elastic |
| T1562.001 | CAR-2013-04-002 | windows,linux,mac | https://car.mitre.org/analytics/CAR-2013-04-002 | CAR |
| T1562.001 | CAR-2016-04-003 | windows | https://car.mitre.org/analytics/CAR-2016-04-003 | CAR |
| T1562.001 | CAR-2021-01-007 | windows | https://car.mitre.org/analytics/CAR-2021-01-007 | CAR |
| T1562.001 | 70fa1af4-27fd-4f26-bd03-50b6af6b9e24 | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml | Elastic |
| T1562.001 | eb9eb8ba-a983-41d9-9c93-a1c05112ca5e | linux | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/linux/defense_evasion_disable_selinux_attempt.toml | Elastic |
| T1562.001 | 074464f9-f30d-4029-8c03-0ed237fffec7 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml | Elastic |
| T1562.001 | 3535c8bb-3bd5-40f4-ae32-b7cd589d5372 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_port_forwarding_added_registry.toml | Elastic |
| T1562.001 | 4b438734-3793-4fda-bd42-ceeada0be8f9 | windows | https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml | Elastic |
| T1562.001 | 035889c4-2686-4583-a7df-67f89c292f2c | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_stop_process_service_threshold.toml | Elastic |
| T1562.001 | 9aa0e1f6-52ce-42e1-abb3-09657cee2698 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml | Elastic |
| T1562.001 | 2f8a1226-5720-437d-9c20-e0029deb6194 | linux | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml | Elastic |
| T1562.001 | f683dcdf-a018-4801-b066-193d4ae6c8e5 | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/defense_evasion_apple_softupdates_modification.toml | Elastic |
| T1562.001 | 125417b8-d3df-479f-8418-12d7e034fee3 | linux | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml | Elastic |
| T1562.001 | f874315d-5188-4b4a-8521-d1c73093a7e4 | windows | https://github.com/elastic/detection-rules/blob/fce022c27568bdaaa063545a659bce764f97d79e/rules/windows/defense_evasion_amsienable_key_mod.toml | Elastic |
| T1562.001 | eea82229-b002-470e-a9e1-00be38b14d32 | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml | Elastic |
| T1562.001 | 6482255d-f468-45ea-a5b3-d3a7de1331ae | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/defense_evasion_safari_config_change.toml | Elastic |
| T1562.001 | 2ffa1f1e-b6db-47fa-994b-1512743847eb | windows | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/defense_evasion_defender_disabled_via_registry.toml | Elastic |
| T1562.001 | fbd44836-0d69-4004-a0b4-03c20370c435 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_configuration_recorder_stopped.toml | Elastic |
| T1562.001 | f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7 | mac | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml | Elastic |
| T1562.001 | 5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml | Elastic |
| T1562.001 | 7024e2a0-315d-4334-bb1a-441c593e16ab | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml | Elastic |
| T1562.001 | 91d04cd4-47a9-4334-ab14-084abe274d49 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_waf_acl_deletion.toml | Elastic |
| T1562.001 | 5beaebc1-cc13-4bfc-9949-776f9e0dc318 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml | Elastic |
| T1562.001 | f772ec8a-e182-483c-91d2-72058f76a44c | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml | Elastic |
| T1562.001 | 9395fd2c-9947-4472-86ef-4aceb2f7e872 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_ec2_flow_log_deletion.toml | Elastic |
| T1562.001 | e02bd3ea-72c6-4181-ac2b-0f83d17ad969 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/azure/defense_evasion_firewall_policy_deletion.toml | Elastic |
| T1562.001 | 1aa8fa52-44a7-4dae-b058-f3333b91c8d7 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml | Elastic |
| T1562.001 | 523116c0-d89d-4d7c-82c2-39e6845a78ef | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/defense_evasion_guardduty_detector_deletion.toml | Elastic |
| T1562.001 | 323cb487-279d-4218-bcbd-a568efe930c6 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/azure/defense_evasion_network_watcher_deletion.toml | Elastic |
| T1562.001 | b9960fef-82c6-4816-befa-44745030e917 | windows | https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml | Elastic |
| T1562.001 | e0f36de1-0342-453d-95a9-a068b257b053 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/azure/defense_evasion_event_hub_deletion.toml | Elastic |
| T1562.001 | 68a7a5a5-a2fc-4a76-ba9f-26849de881b4 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/impact_cloudwatch_log_group_deletion.toml | Elastic |
| T1562.001 | d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17 | cloud | https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/aws/impact_cloudwatch_log_stream_deletion.toml | Elastic |
