detection.wiki

Sigma non-Windows coverage

1,017 non-Windows Sigma detection rules across 14 platforms, grouped by MITRE ATT&CK technique within each platform. The Windows coverage matrix lives at /rules/sigma/; this page reorganizes the same corpus along platform × technique because non-Windows rules have no catalog event IDs to plot.

For coverage organized by each platform's native action vocabulary across all vendors, see the platform matrices: AWS, Azure AD, GCP, M365, Okta. This page is the vendor-organized browse of the same rules.

Platform (all)
Domain (all)

Linux 330 rules

Reconnaissance 6 rules, 3 techniques

Gather Victim Host Information: Client Configurations T1592.004 3 rules
Gather Victim Identity Information T1589 1 rule
Search Open Websites/Domains: Code Repositories T1593.003 1 rule
No specific technique 1 rule

Resource Development 5 rules, 4 techniques

Develop Capabilities T1587 2 rules
Compromise Infrastructure T1584 1 rule
Obtain Capabilities T1588 1 rule
Obtain Capabilities: Malware T1588.001 1 rule

Initial Access 19 rules, 2 techniques

Exploit Public-Facing Application T1190 13 rules
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 6 rules

Execution 76 rules, 11 techniques

Command and Scripting Interpreter T1059 17 rules
Command and Scripting Interpreter: Unix Shell T1059.004 16 rules
Command and Scripting Interpreter: Hypervisor CLI T1059.012 9 rules
Exploitation for Client Execution T1203 6 rules
Scheduled Task/Job: Cron T1053.003 4 rules
Command and Scripting Interpreter: Python T1059.006 3 rules
Command and Scripting Interpreter: Windows Command Shell T1059.003 2 rules
Scheduled Task/Job: At T1053.002 1 rule
Native API T1106 1 rule
User Execution T1204 1 rule
User Execution: Malicious Link T1204.001 1 rule
No specific technique 15 rules

Persistence 25 rules, 11 techniques

Server Software Component: Web Shell T1505.003 4 rules
Create or Modify System Process: Systemd Service T1543.002 4 rules
Account Manipulation T1098 2 rules
Create Account: Local Account T1136.001 2 rules
Compromise Host Software Binary T1554 2 rules
External Remote Services T1133 1 rule
Create Account T1136 1 rule
Server Software Component: SQL Stored Procedures T1505.001 1 rule
Create or Modify System Process: Windows Service T1543.003 1 rule
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 1 rule
Power Settings T1653 1 rule
No specific technique 5 rules

Privilege Escalation 23 rules, 5 techniques

Exploitation for Privilege Escalation T1068 9 rules
Abuse Elevation Control Mechanism T1548 6 rules
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 3 rules
Abuse Elevation Control Mechanism: Setuid and Setgid T1548.001 2 rules
Event Triggered Execution: Unix Shell Configuration Modification T1546.004 1 rule
No specific technique 2 rules

Stealth 38 rules, 17 techniques

Deobfuscate/Decode Files or Information T1140 6 rules
Obfuscated Files or Information: Steganography T1027.003 4 rules
Obfuscated Files or Information T1027 3 rules
Masquerading T1036 2 rules
Process Injection: Proc Memory T1055.009 2 rules
Indicator Removal: Timestomp T1070.006 2 rules
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 2 rules
Rootkit T1014 1 rule
Obfuscated Files or Information: Binary Padding T1027.001 1 rule
Obfuscated Files or Information: Command Obfuscation T1027.010 1 rule
Masquerading: Rename Legitimate Utilities T1036.003 1 rule
Indicator Removal T1070 1 rule
Indicator Removal: Clear Command History T1070.003 1 rule
Indicator Removal: File Deletion T1070.004 1 rule
Hide Artifacts T1564 1 rule
Hide Artifacts: Hidden Files and Directories T1564.001 1 rule
Hijack Execution Flow: DLL T1574.001 1 rule
No specific technique 7 rules

Defense Impairment 25 rules, 7 techniques

Disable or Modify Tools T1685 7 rules
Disable or Modify System Firewall T1686 7 rules
File and Directory Permissions Modification: Linux and Mac Permissions T1222.002 4 rules
Disable or Modify Tools: Clear Linux or Mac System Logs T1685.006 3 rules
Subvert Trust Controls: Install Root Certificate T1553.004 2 rules
Disable or Modify Tools: Disable or Modify Linux Audit System Log T1685.004 1 rule
Prevent Command History Logging T1690 1 rule

Credential Access 14 rules, 9 techniques

Unsecured Credentials: Credentials In Files T1552.001 5 rules
OS Credential Dumping T1003 2 rules
OS Credential Dumping: LSASS Memory T1003.001 1 rule
OS Credential Dumping: Security Account Manager T1003.002 1 rule
Network Sniffing T1040 1 rule
Exploitation for Credential Access T1212 1 rule
Unsecured Credentials T1552 1 rule
Unsecured Credentials: Shell History T1552.003 1 rule
Steal or Forge Kerberos Tickets T1558 1 rule

Discovery 44 rules, 13 techniques

File and Directory Discovery T1083 11 rules
System Information Discovery T1082 9 rules
System Service Discovery T1007 6 rules
System Owner/User Discovery T1033 6 rules
Network Service Discovery T1046 3 rules
Process Discovery T1057 2 rules
System Network Configuration Discovery T1016 1 rule
Remote System Discovery T1018 1 rule
System Network Connections Discovery T1049 1 rule
Permission Groups Discovery: Local Groups T1069.001 1 rule
Account Discovery: Local Account T1087.001 1 rule
Password Policy Discovery T1201 1 rule
Software Discovery: Security Software Discovery T1518.001 1 rule

Collection 12 rules, 7 techniques

Clipboard Data T1115 3 rules
Data from Local System T1005 2 rules
Screen Capture T1113 2 rules
Archive Collected Data: Archive via Utility T1560.001 2 rules
Input Capture: Keylogging T1056.001 1 rule
Automated Collection T1119 1 rule
Audio Capture T1123 1 rule

Command & Control 20 rules, 8 techniques

Ingress Tool Transfer T1105 7 rules
Proxy T1090 3 rules
Web Service T1102 2 rules
Remote Access Tools: Remote Desktop Software T1219.002 2 rules
Protocol Tunneling T1572 2 rules
Application Layer Protocol: Web Protocols T1071.001 1 rule
Dynamic Resolution: Domain Generation Algorithms T1568.002 1 rule
Non-Standard Port T1571 1 rule
No specific technique 1 rule

Exfiltration 6 rules, 4 techniques

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 2 rules
Exfiltration Over Web Service T1567 2 rules
Data Transfer Size Limits T1030 1 rule
Exfiltration Over C2 Channel T1041 1 rule

Impact 17 rules, 8 techniques

System Shutdown/Reboot T1529 3 rules
Data Manipulation: Stored Data Manipulation T1565.001 3 rules
Data Destruction T1485 2 rules
Service Stop T1489 2 rules
Resource Hijacking T1496 2 rules
Account Access Removal T1531 2 rules
Data Encrypted for Impact T1486 1 rule
Endpoint Denial of Service T1499 1 rule
No specific technique 1 rule

macOS 195 rules

Resource Development 1 rule, 1 technique

Obtain Capabilities T1588 1 rule

Initial Access 6 rules, 5 techniques

Supply Chain Compromise: Compromise Software Supply Chain T1195.002 2 rules
Drive-by Compromise T1189 1 rule
Exploit Public-Facing Application T1190 1 rule
Phishing: Spearphishing Attachment T1566.001 1 rule
Phishing: Spearphishing Link T1566.002 1 rule

Execution 34 rules, 12 techniques

Command and Scripting Interpreter: AppleScript T1059.002 9 rules
Command and Scripting Interpreter T1059 4 rules
User Execution T1204 4 rules
Command and Scripting Interpreter: JavaScript T1059.007 3 rules
Inter-Process Communication T1559 3 rules
Exploitation for Client Execution T1203 2 rules
Scheduled Task/Job: Cron T1053.003 1 rule
Command and Scripting Interpreter: Unix Shell T1059.004 1 rule
Command and Scripting Interpreter: Python T1059.006 1 rule
User Execution: Malicious Link T1204.001 1 rule
User Execution: Malicious File T1204.002 1 rule
System Services: Launchctl T1569.001 1 rule
No specific technique 3 rules

Persistence 19 rules, 12 techniques

Create or Modify System Process: Launch Agent T1543.001 3 rules
Create or Modify System Process: Launch Daemon T1543.004 3 rules
Create Account: Local Account T1136.001 2 rules
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 2 rules
Boot or Logon Initialization Scripts: Startup Items T1037.005 1 rule
Account Manipulation T1098 1 rule
External Remote Services T1133 1 rule
Office Application Startup: Office Test T1137.002 1 rule
Server Software Component: SQL Stored Procedures T1505.001 1 rule
Server Software Component: Web Shell T1505.003 1 rule
Create or Modify System Process T1543 1 rule
Boot or Logon Autostart Execution T1547 1 rule
No specific technique 1 rule

Privilege Escalation 8 rules, 5 techniques

Exploitation for Privilege Escalation T1068 2 rules
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 2 rules
Event Triggered Execution: Emond T1546.014 1 rule
Abuse Elevation Control Mechanism T1548 1 rule
Abuse Elevation Control Mechanism: Setuid and Setgid T1548.001 1 rule
No specific technique 1 rule

Stealth 31 rules, 19 techniques

Valid Accounts: Local Accounts T1078.003 4 rules
Impair Defenses: Disable or Modify Tools T1562.001 3 rules
Indicator Removal: File Deletion T1070.004 2 rules
Valid Accounts T1078 2 rules
Valid Accounts: Default Accounts T1078.001 2 rules
Deobfuscate/Decode Files or Information T1140 2 rules
Virtualization/Sandbox Evasion: System Checks T1497.001 2 rules
Hide Artifacts: Hidden Files and Directories T1564.001 2 rules
Rootkit T1014 1 rule
Obfuscated Files or Information T1027 1 rule
Obfuscated Files or Information: Binary Padding T1027.001 1 rule
Masquerading: Rename Legitimate Utilities T1036.003 1 rule
Masquerading: Space after Filename T1036.006 1 rule
Indicator Removal: Timestomp T1070.006 1 rule
Valid Accounts: Cloud Accounts T1078.004 1 rule
System Binary Proxy Execution T1218 1 rule
Impair Defenses: Disable or Modify System Firewall T1562.004 1 rule
Hide Artifacts: Hidden Users T1564.002 1 rule
Hide Artifacts: NTFS File Attributes T1564.004 1 rule
No specific technique 1 rule

Defense Impairment 10 rules, 8 techniques

File and Directory Permissions Modification T1222 2 rules
Subvert Trust Controls: Gatekeeper Bypass T1553.001 2 rules
Domain or Tenant Policy Modification T1484 1 rule
Subvert Trust Controls T1553 1 rule
Subvert Trust Controls: Code Signing T1553.002 1 rule
Modify Authentication Process T1556 1 rule
Disable or Modify Tools T1685 1 rule
Disable or Modify Tools: Clear Linux or Mac System Logs T1685.006 1 rule

Credential Access 11 rules, 9 techniques

Unsecured Credentials: Credentials In Files T1552.001 2 rules
Credentials from Password Stores: Keychain T1555.001 2 rules
OS Credential Dumping: LSASS Memory T1003.001 1 rule
OS Credential Dumping: Security Account Manager T1003.002 1 rule
Network Sniffing T1040 1 rule
Brute Force T1110 1 rule
Unsecured Credentials: Shell History T1552.003 1 rule
Credentials from Password Stores T1555 1 rule
Steal or Forge Kerberos Tickets T1558 1 rule

Discovery 16 rules, 9 techniques

System Information Discovery T1082 4 rules
Software Discovery: Security Software Discovery T1518.001 3 rules
File and Directory Discovery T1083 2 rules
System Network Configuration Discovery T1016 1 rule
Remote System Discovery T1018 1 rule
Network Service Discovery T1046 1 rule
System Network Connections Discovery T1049 1 rule
Permission Groups Discovery: Local Groups T1069.001 1 rule
Account Discovery: Local Account T1087.001 1 rule
No specific technique 1 rule

Lateral Movement 8 rules, 6 techniques

Remote Services: SSH T1021.004 2 rules
Remote Service Session Hijacking T1563 2 rules
Remote Services T1021 1 rule
Remote Services: SMB/Windows Admin Shares T1021.002 1 rule
Remote Services: VNC T1021.005 1 rule
Lateral Tool Transfer T1570 1 rule

Collection 8 rules, 5 techniques

Clipboard Data T1115 2 rules
Archive Collected Data: Archive via Utility T1560.001 2 rules
Data from Network Shared Drive T1039 1 rule
Input Capture: GUI Input Capture T1056.002 1 rule
Screen Capture T1113 1 rule
No specific technique 1 rule

Command & Control 19 rules, 7 techniques

Ingress Tool Transfer T1105 6 rules
Remote Access Tools: Remote Desktop Software T1219.002 3 rules
Application Layer Protocol: Web Protocols T1071.001 2 rules
Application Layer Protocol T1071 1 rule
Application Layer Protocol: DNS T1071.004 1 rule
Dynamic Resolution T1568 1 rule
Dynamic Resolution: Domain Generation Algorithms T1568.002 1 rule
No specific technique 4 rules

Exfiltration 6 rules, 5 techniques

Data Transfer Size Limits T1030 1 rule
Exfiltration Over C2 Channel T1041 1 rule
Transfer Data to Cloud Account T1537 1 rule
Exfiltration Over Web Service T1567 1 rule
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 1 rule
No specific technique 1 rule

Impact 12 rules, 6 techniques

Inhibit System Recovery T1490 3 rules
Data Encrypted for Impact T1486 2 rules
Service Stop T1489 2 rules
System Shutdown/Reboot T1529 2 rules
Data Destruction T1485 1 rule
Data Manipulation: Stored Data Manipulation T1565.001 1 rule
No specific technique 1 rule

Untagged 6 rules without MITRE techniques

AWS 107 rules

Reconnaissance 1 rule, 0 techniques

No specific technique 1 rule

Resource Development 1 rule, 1 technique

Stage Capabilities: Install Digital Certificate T1608.003 1 rule

Initial Access 7 rules, 2 techniques

Exploit Public-Facing Application T1190 3 rules
Phishing: Spearphishing Link T1566.002 1 rule
No specific technique 3 rules

Execution 6 rules, 4 techniques

Command and Scripting Interpreter: Cloud API T1059.009 3 rules
Command and Scripting Interpreter: PowerShell T1059.001 1 rule
Command and Scripting Interpreter: Windows Command Shell T1059.003 1 rule
Command and Scripting Interpreter: Unix Shell T1059.004 1 rule

Persistence 17 rules, 5 techniques

Account Manipulation: Additional Cloud Credentials T1098.001 5 rules
Account Manipulation T1098 4 rules
Create Account: Cloud Account T1136.003 3 rules
Account Manipulation: Additional Cloud Roles T1098.003 2 rules
Implant Internal Image T1525 1 rule
No specific technique 2 rules

Privilege Escalation 6 rules, 1 technique

Abuse Elevation Control Mechanism T1548 3 rules
No specific technique 3 rules

Stealth 26 rules, 5 techniques

Valid Accounts: Cloud Accounts T1078.004 12 rules
Impair Defenses: Disable or Modify Cloud Logs T1562.008 6 rules
Valid Accounts T1078 4 rules
Indicator Removal T1070 1 rule
Valid Accounts: Domain Accounts T1078.002 1 rule
No specific technique 2 rules

Defense Impairment 8 rules, 4 techniques

Disable or Modify Tools: Disable or Modify Cloud Log T1685.002 3 rules
Disable or Modify Tools T1685 2 rules
Disable or Modify System Firewall: Cloud Firewall T1686.001 2 rules
Modify Authentication Process T1556 1 rule

Credential Access 4 rules, 3 techniques

Credentials from Password Stores T1555 2 rules
OS Credential Dumping T1003 1 rule
Brute Force T1110 1 rule

Discovery 7 rules, 3 techniques

Account Discovery: Cloud Account T1087.004 3 rules
Cloud Infrastructure Discovery T1580 2 rules
Cloud Storage Object Discovery T1619 1 rule
No specific technique 1 rule

Lateral Movement 5 rules, 2 techniques

Use Alternate Authentication Material: Application Access Token T1550.001 4 rules
Remote Services: Cloud Services T1021.007 1 rule

Collection 1 rule, 1 technique

Data from Local System T1005 1 rule

Command & Control 1 rule, 0 techniques

No specific technique 1 rule

Exfiltration 7 rules, 2 techniques

Automated Exfiltration T1020 3 rules
Transfer Data to Cloud Account T1537 3 rules
No specific technique 1 rule

Impact 10 rules, 5 techniques

Account Access Removal T1531 3 rules
Data Destruction T1485 2 rules
Data Encrypted for Impact T1486 2 rules
Inhibit System Recovery T1490 1 rule
Data Manipulation T1565 1 rule
No specific technique 1 rule

Azure 173 rules

Reconnaissance 1 rule, 1 technique

Gather Victim Identity Information T1589 1 rule

Execution 4 rules, 2 techniques

Scheduled Task/Job: Cron T1053.003 1 rule
Command and Scripting Interpreter T1059 1 rule
No specific technique 2 rules

Persistence 13 rules, 4 techniques

Account Manipulation T1098 4 rules
Account Manipulation: Additional Cloud Roles T1098.003 4 rules
Account Manipulation: Additional Cloud Credentials T1098.001 1 rule
Account Manipulation: Device Registration T1098.005 1 rule
No specific technique 3 rules

Privilege Escalation 6 rules, 1 technique

Abuse Elevation Control Mechanism T1548 5 rules
No specific technique 1 rule

Stealth 60 rules, 3 techniques

Valid Accounts T1078 28 rules
Valid Accounts: Cloud Accounts T1078.004 28 rules
Deobfuscate/Decode Files or Information T1140 1 rule
No specific technique 3 rules

Defense Impairment 16 rules, 7 techniques

Modify Authentication Process T1556 8 rules
Disable or Modify System Firewall: Cloud Firewall T1686.001 3 rules
Domain or Tenant Policy Modification T1484 1 rule
Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule
Modify Cloud Compute Infrastructure T1578 1 rule
Modify Cloud Compute Infrastructure: Delete Cloud Instance T1578.003 1 rule
Disable or Modify Tools T1685 1 rule

Credential Access 30 rules, 9 techniques

Brute Force T1110 10 rules
Steal Application Access Token T1528 8 rules
Unsecured Credentials: Credentials In Files T1552.001 3 rules
Unsecured Credentials T1552 2 rules
Multi-Factor Authentication Request Generation T1621 2 rules
OS Credential Dumping T1003 1 rule
Unsecured Credentials: Container API T1552.007 1 rule
Adversary-in-the-Middle T1557 1 rule
Forge Web Credentials T1606 1 rule
No specific technique 1 rule

Discovery 2 rules, 2 techniques

Account Discovery: Cloud Account T1087.004 1 rule
Cloud Service Discovery T1526 1 rule

Collection 1 rule, 1 technique

Email Collection: Email Forwarding Rule T1114.003 1 rule

Command & Control 3 rules, 1 technique

Proxy T1090 3 rules

Impact 37 rules, 5 techniques

Data Destruction T1485 8 rules
Service Stop T1489 8 rules
Resource Hijacking T1496 7 rules
Data Manipulation: Stored Data Manipulation T1565.001 2 rules
Account Access Removal T1531 1 rule
No specific technique 11 rules

GCP 19 rules

Execution 1 rule, 0 techniques

No specific technique 1 rule

Persistence 2 rules, 1 technique

Account Manipulation T1098 1 rule
No specific technique 1 rule

Privilege Escalation 2 rules, 1 technique

Abuse Elevation Control Mechanism T1548 1 rule
No specific technique 1 rule

Stealth 1 rule, 1 technique

Valid Accounts T1078 1 rule

Defense Impairment 1 rule, 1 technique

Disable or Modify Tools T1685 1 rule

Credential Access 3 rules, 1 technique

Unsecured Credentials: Container API T1552.007 1 rule
No specific technique 2 rules

Discovery 1 rule, 0 techniques

No specific technique 1 rule

Collection 1 rule, 1 technique

Data Staged T1074 1 rule

Impact 7 rules, 2 techniques

Account Access Removal T1531 1 rule
Data Manipulation T1565 1 rule
No specific technique 5 rules

Microsoft 365 25 rules

Initial Access 3 rules, 3 techniques

Trusted Relationship T1199 1 rule
Phishing: Spearphishing Attachment T1566.001 1 rule
Phishing: Spearphishing Link T1566.002 1 rule

Persistence 1 rule, 1 technique

Create Account: Cloud Account T1136.003 1 rule

Stealth 5 rules, 2 techniques

Valid Accounts T1078 3 rules
Hide Artifacts: Email Hiding Rules T1564.008 2 rules

Defense Impairment 2 rules, 2 techniques

Domain or Tenant Policy Modification: Trust Modification T1484.002 1 rule
Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule

Collection 4 rules, 2 techniques

Email Collection T1114 2 rules
Email Collection: Email Forwarding Rule T1114.003 2 rules

Command & Control 3 rules, 1 technique

Encrypted Channel T1573 3 rules

Exfiltration 4 rules, 2 techniques

Automated Exfiltration T1020 2 rules
Transfer Data to Cloud Account T1537 1 rule
No specific technique 1 rule

Impact 3 rules, 2 techniques

Data Destruction T1485 1 rule
Data Encrypted for Impact T1486 1 rule
No specific technique 1 rule

Google Workspace 10 rules

Persistence 3 rules, 2 techniques

Account Manipulation T1098 2 rules
Account Manipulation: Additional Cloud Roles T1098.003 1 rule

Stealth 2 rules, 2 techniques

Valid Accounts T1078 1 rule
Valid Accounts: Cloud Accounts T1078.004 1 rule

Collection 1 rule, 1 technique

Email Collection: Email Forwarding Rule T1114.003 1 rule

Impact 4 rules, 0 techniques

No specific technique 4 rules

Okta 23 rules

Resource Development 1 rule, 1 technique

Compromise Accounts: Cloud Accounts T1586.003 1 rule

Initial Access 1 rule, 1 technique

Phishing T1566 1 rule

Persistence 4 rules, 2 techniques

Account Manipulation: Additional Cloud Credentials T1098.001 1 rule
Account Manipulation: Additional Cloud Roles T1098.003 1 rule
No specific technique 2 rules

Stealth 1 rule, 1 technique

Valid Accounts: Cloud Accounts T1078.004 1 rule

Defense Impairment 2 rules, 2 techniques

Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule
Disable or Modify Tools T1685 1 rule

Credential Access 5 rules, 1 technique

Unsecured Credentials T1552 1 rule
No specific technique 4 rules

Command & Control 1 rule, 0 techniques

No specific technique 1 rule

Impact 8 rules, 1 technique

Account Access Removal T1531 1 rule
No specific technique 7 rules

GitHub 23 rules

Initial Access 1 rule, 1 technique

Supply Chain Compromise: Compromise Software Dependencies and Development Tools T1195.001 1 rule

Persistence 4 rules, 3 techniques

Account Manipulation: Additional Cloud Credentials T1098.001 1 rule
Account Manipulation: Additional Cloud Roles T1098.003 1 rule
Create Account: Cloud Account T1136.003 1 rule
No specific technique 1 rule

Stealth 3 rules, 1 technique

Valid Accounts: Cloud Accounts T1078.004 3 rules

Defense Impairment 5 rules, 2 techniques

Disable or Modify Tools T1685 3 rules
Modify Authentication Process T1556 1 rule
No specific technique 1 rule

Discovery 1 rule, 1 technique

Cloud Service Discovery T1526 1 rule

Collection 3 rules, 1 technique

Data from Information Repositories: Code Repositories T1213.003 3 rules

Exfiltration 5 rules, 3 techniques

Automated Exfiltration T1020 2 rules
Transfer Data to Cloud Account T1537 2 rules
Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 1 rule

Impact 1 rule, 0 techniques

No specific technique 1 rule

Kubernetes 21 rules

Execution 4 rules, 1 technique

Container Administration Command T1609 3 rules
No specific technique 1 rule

Persistence 2 rules, 1 technique

Create Account T1136 1 rule
No specific technique 1 rule

Privilege Escalation 5 rules, 1 technique

Escape to Host T1611 2 rules
No specific technique 3 rules

Stealth 3 rules, 3 techniques

Masquerading: Match Legitimate Resource Name or Location T1036.005 1 rule
Indicator Removal T1070 1 rule
Valid Accounts T1078 1 rule

Credential Access 3 rules, 1 technique

Unsecured Credentials: Container API T1552.007 2 rules
No specific technique 1 rule

Discovery 3 rules, 3 techniques

Permission Groups Discovery: Cloud Groups T1069.003 1 rule
Account Discovery: Cloud Account T1087.004 1 rule
Container and Resource Discovery T1613 1 rule

Impact 1 rule, 1 technique

Network Denial of Service T1498 1 rule

Network 110 rules

Reconnaissance 1 rule, 1 technique

Active Scanning: Vulnerability Scanning T1595.002 1 rule

Initial Access 5 rules, 1 technique

Exploit Public-Facing Application T1190 2 rules
No specific technique 3 rules

Execution 8 rules, 5 techniques

Scheduled Task/Job: At T1053.002 2 rules
System Services: Service Execution T1569.002 2 rules
Windows Management Instrumentation T1047 1 rule
Scheduled Task/Job T1053 1 rule
Exploitation for Client Execution T1203 1 rule
No specific technique 1 rule

Persistence 9 rules, 5 techniques

Create Account: Local Account T1136.001 3 rules
External Remote Services T1133 2 rules
Account Manipulation T1098 1 rule
Server Software Component T1505 1 rule
Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 1 rule
No specific technique 1 rule

Privilege Escalation 3 rules, 1 technique

Exploitation for Privilege Escalation T1068 1 rule
No specific technique 2 rules

Stealth 7 rules, 3 techniques

Valid Accounts T1078 4 rules
Indicator Removal: Clear Command History T1070.003 1 rule
Indicator Removal: File Deletion T1070.004 1 rule
No specific technique 1 rule

Defense Impairment 6 rules, 3 techniques

Disable or Modify Tools T1685 4 rules
Subvert Trust Controls: Install Root Certificate T1553.004 1 rule
Modify Authentication Process: Network Device Authentication T1556.004 1 rule

Credential Access 25 rules, 13 techniques

Brute Force T1110 4 rules
Adversary-in-the-Middle T1557 4 rules
OS Credential Dumping: Security Account Manager T1003.002 2 rules
OS Credential Dumping: NTDS T1003.003 2 rules
Forced Authentication T1187 2 rules
Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 2 rules
OS Credential Dumping: LSASS Memory T1003.001 1 rule
OS Credential Dumping: LSA Secrets T1003.004 1 rule
Network Sniffing T1040 1 rule
Unsecured Credentials: Credentials In Files T1552.001 1 rule
Unsecured Credentials: Shell History T1552.003 1 rule
Unsecured Credentials: Private Keys T1552.004 1 rule
Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 1 rule
No specific technique 2 rules

Discovery 10 rules, 10 techniques

System Network Configuration Discovery T1016 1 rule
Remote System Discovery T1018 1 rule
System Owner/User Discovery T1033 1 rule
System Network Connections Discovery T1049 1 rule
Process Discovery T1057 1 rule
System Information Discovery T1082 1 rule
File and Directory Discovery T1083 1 rule
Account Discovery: Local Account T1087.001 1 rule
System Time Discovery T1124 1 rule
Password Policy Discovery T1201 1 rule

Lateral Movement 6 rules, 4 techniques

Remote Services: SMB/Windows Admin Shares T1021.002 3 rules
Remote Services: Remote Desktop Protocol T1021.001 1 rule
Remote Services: Windows Remote Management T1021.006 1 rule
Exploitation of Remote Services T1210 1 rule

Collection 4 rules, 3 techniques

Data from Local System T1005 1 rule
Data Staged T1074 1 rule
Archive Collected Data: Archive via Utility T1560.001 1 rule
No specific technique 1 rule

Command & Control 13 rules, 6 techniques

Application Layer Protocol: DNS T1071.004 3 rules
Application Layer Protocol: Web Protocols T1071.001 2 rules
Ingress Tool Transfer T1105 2 rules
Non-Application Layer Protocol T1095 1 rule
Web Service: Bidirectional Communication T1102.002 1 rule
Non-Standard Port T1571 1 rule
No specific technique 3 rules

Exfiltration 4 rules, 3 techniques

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 2 rules
Exfiltration Over Alternative Protocol T1048 1 rule
Exfiltration Over Web Service T1567 1 rule

Impact 9 rules, 8 techniques

Resource Hijacking T1496 2 rules
Inhibit System Recovery T1490 1 rule
Firmware Corruption T1495 1 rule
System Shutdown/Reboot T1529 1 rule
Disk Wipe: Disk Content Wipe T1561.001 1 rule
Disk Wipe: Disk Structure Wipe T1561.002 1 rule
Data Manipulation: Stored Data Manipulation T1565.001 1 rule
Data Manipulation: Transmitted Data Manipulation T1565.002 1 rule

Web 62 rules

Reconnaissance 2 rules, 2 techniques

Gather Victim Network Information T1590 1 rule
Active Scanning T1595 1 rule

Resource Development 1 rule, 1 technique

Compromise Infrastructure T1584 1 rule

Initial Access 15 rules, 3 techniques

Exploit Public-Facing Application T1190 10 rules
Phishing T1566 3 rules
Drive-by Compromise T1189 2 rules

Execution 5 rules, 2 techniques

User Execution: Malicious File T1204.002 3 rules
Exploitation for Client Execution T1203 2 rules

Persistence 3 rules, 1 technique

Server Software Component: Web Shell T1505.003 3 rules

Stealth 4 rules, 3 techniques

BITS Jobs T1197 2 rules
Masquerading: Match Legitimate Resource Name or Location T1036.005 1 rule
Template Injection T1221 1 rule

Credential Access 1 rule, 1 technique

Brute Force T1110 1 rule

Discovery 1 rule, 1 technique

File and Directory Discovery T1083 1 rule

Lateral Movement 1 rule, 1 technique

Exploitation of Remote Services T1210 1 rule

Collection 1 rule, 1 technique

Input Capture T1056 1 rule

Command & Control 25 rules, 6 techniques

Application Layer Protocol: Web Protocols T1071.001 18 rules
Web Service: Dead Drop Resolver T1102.001 2 rules
Web Service: One-Way Communication T1102.003 2 rules
Web Service: Bidirectional Communication T1102.002 1 rule
Ingress Tool Transfer T1105 1 rule
Dynamic Resolution T1568 1 rule

Exfiltration 1 rule, 1 technique

Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 1 rule

Impact 2 rules, 1 technique

Endpoint Denial of Service: Application or System Exploitation T1499.004 2 rules

Identity 42 rules

Reconnaissance 1 rule, 0 techniques

No specific technique 1 rule

Initial Access 2 rules, 1 technique

Phishing T1566 1 rule
No specific technique 1 rule

Persistence 6 rules, 2 techniques

Account Manipulation T1098 3 rules
Create Account T1136 3 rules

Privilege Escalation 1 rule, 1 technique

Abuse Elevation Control Mechanism T1548 1 rule

Stealth 17 rules, 2 techniques

Impair Defenses: Disable or Modify Cloud Firewall T1562.007 14 rules
Valid Accounts T1078 3 rules

Credential Access 8 rules, 4 techniques

Brute Force: Credential Stuffing T1110.004 2 rules
Steal Application Access Token T1528 2 rules
Brute Force T1110 1 rule
Multi-Factor Authentication Request Generation T1621 1 rule
No specific technique 2 rules

Lateral Movement 3 rules, 2 techniques

Use Alternate Authentication Material: Web Session Cookie T1550.004 2 rules
Use Alternate Authentication Material: Application Access Token T1550.001 1 rule

Impact 4 rules, 2 techniques

Endpoint Denial of Service T1499 1 rule
Endpoint Denial of Service: Service Exhaustion Flood T1499.002 1 rule
No specific technique 2 rules

Application 207 rules

Reconnaissance 2 rules, 1 technique

Gather Victim Org Information: Identify Roles T1591.004 2 rules

Resource Development 2 rules, 1 technique

Compromise Accounts T1586 2 rules

Initial Access 92 rules, 2 techniques

Exploit Public-Facing Application T1190 84 rules
Phishing: Spearphishing Attachment T1566.001 1 rule
No specific technique 7 rules

Execution 8 rules, 5 techniques

Scheduled Task/Job: At T1053.002 3 rules
Windows Management Instrumentation T1047 1 rule
Exploitation for Client Execution T1203 1 rule
User Execution: Malicious File T1204.002 1 rule
System Services: Service Execution T1569.002 1 rule
No specific technique 1 rule

Persistence 15 rules, 3 techniques

Server Software Component: Web Shell T1505.003 8 rules
External Remote Services T1133 4 rules
Account Manipulation T1098 1 rule
No specific technique 2 rules

Privilege Escalation 1 rule, 0 techniques

No specific technique 1 rule

Stealth 6 rules, 3 techniques

Valid Accounts T1078 3 rules
Process Injection T1055 1 rule
Valid Accounts: Cloud Accounts T1078.004 1 rule
No specific technique 1 rule

Defense Impairment 7 rules, 2 techniques

Disable or Modify Tools T1685 6 rules
Modify Registry T1112 1 rule

Credential Access 6 rules, 2 techniques

OS Credential Dumping T1003 4 rules
Brute Force T1110 2 rules

Discovery 16 rules, 5 techniques

Network Service Discovery T1046 5 rules
System Owner/User Discovery T1033 2 rules
System Information Discovery T1082 2 rules
System Network Configuration Discovery T1016 1 rule
Account Discovery T1087 1 rule
No specific technique 5 rules

Lateral Movement 15 rules, 5 techniques

Remote Services T1021 6 rules
Remote Services: SSH T1021.004 2 rules
Exploitation of Remote Services T1210 2 rules
Remote Services: Remote Desktop Protocol T1021.001 1 rule
Remote Services: Distributed Component Object Model T1021.003 1 rule
No specific technique 3 rules

Collection 11 rules, 4 techniques

Data from Information Repositories T1213 7 rules
Data from Information Repositories: Code Repositories T1213.003 2 rules
Data from Local System T1005 1 rule
Audio Capture T1123 1 rule

Command & Control 22 rules, 4 techniques

Application Layer Protocol: Web Protocols T1071.001 6 rules
Application Layer Protocol: DNS T1071.004 2 rules
Proxy T1090 1 rule
Dynamic Resolution T1568 1 rule
No specific technique 12 rules

Exfiltration 3 rules, 2 techniques

Exfiltration Over C2 Channel T1041 2 rules
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 1 rule

Impact 1 rule, 1 technique

Network Denial of Service T1498 1 rule