{ "name": "SIGMA Rule Coverage", "version": "2.1", "domain": "mitre-enterprise", "description": "Accurate to commit #: 81693d81b6823bb5f064919453eac70c1d097d3e\nhttps://github.com/Neo23x0/sigma/commit/81693d81b6823bb5f064919453eac70c1d097d3e", "filters": { "stages": [ "act" ], "platforms": [ "windows", "linux", "mac" ] }, "sorting": 0, "viewMode": 0, "hideDisabled": false, "techniques": [ { "techniqueID": "T1156", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1134", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1134", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1015", "tactic": "persistence", "score": 1, "color": "", "comment": "sysmon_stickykey_like_backdoor.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1015", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "sysmon_stickykey_like_backdoor.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1087", "tactic": "discovery", "score": 5, "color": "", "comment": "win_account_discovery.yml\nwin_alert_hacktool_use.yml\nwin_susp_net_recon_activity.yml\nwin_susp_commands_recon_activity.yml\nwin_susp_recon_activity.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1098", "tactic": "credential-access", "score": 3, "color": "", "comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1098", "tactic": "persistence", "score": 3, "color": "", "comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1182", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1182", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1103", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1103", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1155", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1155", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1017", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1138", "tactic": "persistence", "score": 1, "color": "", "comment": "win_sdbinst_shim_persistence.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1138", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "win_sdbinst_shim_persistence.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1010", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1123", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1131", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1119", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1020", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1197", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_process_creation_bitsadmin_download.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1197", "tactic": "persistence", "score": 1, "color": "", "comment": "win_process_creation_bitsadmin_download.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1139", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1009", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1067", "tactic": "persistence", "score": 1, "color": "", "comment": "win_susp_bcdedit.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1217", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1176", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1110", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1088", "tactic": "defense-evasion", "score": 3, "color": "", "comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1088", "tactic": "privilege-escalation", "score": 3, "color": "", "comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1191", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1191", "tactic": "execution", "score": 2, "color": "", "comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1042", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1146", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "lnx_shell_clear_cmd_history.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1115", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1116", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1059", "tactic": "execution", "score": 12, "color": "", "comment": "apt_babyshark.yml\napt_equationgroup_dll_u_load.yml\napt_equationgroup_lnx.yml\napt_sofacy.yml\napt_sofacy_zebrocy.yml\napt_turla_commands.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_alert_hacktool_use.yml\nwin_office_shell.yml\nwin_susp_cmd_http_appdata.yml\nwin_susp_outlook.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1043", "tactic": "command-and-control", "score": 1, "color": "", "comment": "sysmon_malware_backconnect_ports.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1092", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1223", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1223", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1109", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1109", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1122", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1122", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1090", "tactic": "command-and-control", "score": 2, "color": "", "comment": "win_netsh_fw_add.yml\nwin_netsh_port_fwd.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1196", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1196", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1136", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1003", "tactic": "credential-access", "score": 23, "color": "", "comment": "apt_bear_activity_gtr19.yml\nwin_alert_lsass_access.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml\nwin_mal_wceaux_dll.yml\nwin_susp_lsass_dump.yml\nwin_susp_sam_dump.yml\nav_password_dumper.yml\nwin_cmdkey_recon.yml\nwin_hack_rubeus.yml\nwin_malware_notpetya.yml\nwin_susp_ntdsutil.yml\nwin_susp_procdump.yml\nwin_susp_sysvol_access.yml\nwin_susp_vssadmin_ntds_activity.yml\nsysmon_ghostpack_safetykatz.yml\nsysmon_lsass_memdump.yml\nsysmon_mimikatz_detection_lsass.yml\nsysmon_mimikatz_inmemory_detection.yml\nsysmon_password_dumper_lsass.yml\nsysmon_quarkspw_filedump.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1081", "tactic": "credential-access", "score": 1, "color": "", "comment": "apt_bear_activity_gtr19.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1214", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1094", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1024", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1207", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1038", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1038", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1038", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1073", "tactic": "defense-evasion", "score": 9, "color": "", "comment": "win_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml\nwin_susp_dns_config.yml\nwin_plugx_susp_exe_locations.yml\nwin_susp_control_dll_load.yml\nwin_susp_gup.yml\nsysmon_dhcp_calloutdll.yml\nsysmon_dns_serverlevelplugindll.yml\nsysmon_susp_image_load.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1002", "tactic": "exfiltration", "score": 1, "color": "", "comment": "apt_judgement_panda_gtr19.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1132", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1022", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1001", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1074", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1030", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1213", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1005", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1039", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1025", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1140", "tactic": "defense-evasion", "score": 4, "color": "", "comment": "win_susp_mshta_execution.yml\nwin_susp_certutil_command.yml\nwin_susp_cli_escape.yml\nwin_susp_ping_hex_ip.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1089", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_alert_enable_weak_encryption.yml\nwin_susp_msmpeng_crash.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1175", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "win_susp_mmc_source.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1172", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1189", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1157", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1157", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1173", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1114", "tactic": "collection", "score": 1, "color": "", "comment": "win_alert_hacktool_use.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1106", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1129", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1048", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1041", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1011", "tactic": "exfiltration", "score": 1, "color": "", "comment": "sysmon_ssp_added_lsa_config.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1052", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1190", "tactic": "initial-access", "score": 1, "color": "", "comment": "web_cve_2018_2894_weblogic_exploit.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1203", "tactic": "execution", "score": 2, "color": "", "comment": "av_exploiting.yml\nwin_exploit_cve_2017_8759.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1212", "tactic": "credential-access", "score": 3, "color": "", "comment": "win_net_ntlm_downgrade.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1211", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_susp_msmpeng_crash.yml\nwin_exploit_cve_2017_11882.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1068", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "apt_hurricane_panda.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1210", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1133", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1181", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1181", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1008", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1107", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_susp_backup_delete.yml\nwin_susp_sdelete.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1222", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1006", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1044", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1044", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1083", "tactic": "discovery", "score": 1, "color": "", "comment": "apt_turla_commands.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1187", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1144", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1061", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1148", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1200", "tactic": "initial-access", "score": 1, "color": "", "comment": "win_usb_device_plugged.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1158", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_attrib_hiding_files.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1158", "tactic": "persistence", "score": 1, "color": "", "comment": "win_attrib_hiding_files.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1147", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1143", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1179", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1179", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1179", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1062", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1183", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "sysmon_win_reg_persistence.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1183", "tactic": "persistence", "score": 1, "color": "", "comment": "sysmon_win_reg_persistence.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1183", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "sysmon_win_reg_persistence.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1054", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_disable_event_logging.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1066", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_susp_sdelete.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1070", "tactic": "defense-evasion", "score": 4, "color": "", "comment": "win_susp_eventlog_cleared.yml\nwin_susp_security_eventlog_cleared.yml\nwin_malware_notpetya.yml\nwin_susp_bcdedit.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1202", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_office_shell.yml\nwin_susp_outlook.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1056", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1056", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1141", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1130", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1118", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_possible_applocker_bypass.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1118", "tactic": "execution", "score": 1, "color": "", "comment": "win_possible_applocker_bypass.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1208", "tactic": "credential-access", "score": 2, "color": "", "comment": "win_susp_rc4_kerberos.yml\nwin_spn_enum.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1215", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1142", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1161", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1149", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1171", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1177", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1177", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1159", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1160", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1160", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1152", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1152", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1152", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1168", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1168", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1162", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1037", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "sysmon_logon_scripts_userinitmprlogonscript.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1037", "tactic": "persistence", "score": 1, "color": "", "comment": "sysmon_logon_scripts_userinitmprlogonscript.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1185", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1036", "tactic": "defense-evasion", "score": 14, "color": "", "comment": "apt_ta17_293a_ps.yml\nwin_exploit_cve_2015_1641.yml\nwin_powershell_b64_shellcode.yml\nwin_susp_calc.yml\nwin_susp_csc.yml\nwin_susp_execution_path.yml\nwin_susp_exec_folder.yml\nwin_susp_procdump.yml\nwin_susp_prog_location_process_starts.yml\nwin_susp_run_locations.yml\nwin_susp_svchost.yml\nwin_susp_taskmgr_localsystem.yml\nwin_susp_taskmgr_parent.yml\nwin_system_exe_anomaly.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1031", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1112", "tactic": "defense-evasion", "score": 3, "color": "", "comment": "apt_chafer_mar18.yml\nwin_mal_ursnif.yml\nsysmon_dhcp_calloutdll.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1170", "tactic": "defense-evasion", "score": 4, "color": "", "comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1170", "tactic": "execution", "score": 4, "color": "", "comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1104", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1188", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1026", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1079", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1096", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "powershell_ntfs_ads_access.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1128", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1046", "tactic": "discovery", "score": 1, "color": "", "comment": "win_vul_java_remote_debugging.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1126", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1135", "tactic": "discovery", "score": 1, "color": "", "comment": "apt_turla_commands.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1040", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1040", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1050", "tactic": "persistence", "score": 7, "color": "", "comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1050", "tactic": "privilege-escalation", "score": 7, "color": "", "comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1027", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_susp_ping_hex_ip.yml\nsysmon_ads_executable.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1137", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1075", "tactic": "lateral-movement", "score": 4, "color": "", "comment": "win_alert_hacktool_use.yml\nwin_overpass_the_hash.yml\nwin_pass_the_hash.yml\nwin_susp_ntlm_auth.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1097", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1174", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1201", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1034", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1034", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1120", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1069", "tactic": "discovery", "score": 1, "color": "", "comment": "win_susp_net_recon_activity.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1150", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1150", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1150", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1205", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1205", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1205", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1013", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1013", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1086", "tactic": "execution", "score": 28, "color": "", "comment": "apt_apt29_thinktanks.yml\napt_babyshark.yml\napt_empiremonkey.yml\npowershell_downgrade_attack.yml\npowershell_exe_calling_ps.yml\npowershell_malicious_commandlets.yml\npowershell_malicious_keywords.yml\npowershell_prompt_credentials.yml\npowershell_psattack.yml\npowershell_shellcode_b64.yml\npowershell_suspicious_download.yml\npowershell_suspicious_invocation_generic.yml\npowershell_suspicious_invocation_specific.yml\npowershell_suspicious_keywords.yml\npowershell_xor_commandline.yml\nwin_powershell_amsi_bypass.yml\nwin_powershell_dll_execution.yml\nwin_powershell_download.yml\nwin_powershell_renamed_ps.yml\nwin_powershell_suspicious_parameter_variation.yml\nwin_susp_powershell_enc_cmd.yml\nwin_susp_powershell_hidden_b64_cmd.yml\nwin_susp_powershell_parent_combo.yml\nwin_susp_ps_appdata.yml\nsysmon_powershell_exploit_scripts.yml\nsysmon_powershell_network_connection.yml\nsysmon_powersploit_schtasks.yml\nsysmon_susp_powershell_rundll32.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1145", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1057", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1186", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1093", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1055", "tactic": "defense-evasion", "score": 8, "color": "", "comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "score": 8, "color": "", "comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1012", "tactic": "discovery", "score": 1, "color": "", "comment": "apt_babyshark.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1163", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1164", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1108", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1108", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1060", "tactic": "persistence", "score": 2, "color": "", "comment": "sysmon_susp_reg_persist_explorer_run.yml\nsysmon_susp_run_key_img_folder.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1121", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_possible_applocker_bypass.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1121", "tactic": "execution", "score": 1, "color": "", "comment": "win_possible_applocker_bypass.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1117", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_susp_regsvr32_anomalies.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1117", "tactic": "execution", "score": 1, "color": "", "comment": "win_susp_regsvr32_anomalies.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1219", "tactic": "command-and-control", "score": 2, "color": "", "comment": "av_exploiting.yml\nwin_susp_tscon_localsystem.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1076", "tactic": "lateral-movement", "score": 4, "color": "", "comment": "win_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nwin_susp_tscon_rdp_redirect.yml\nsysmon_rdp_reverse_tunnel.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1105", "tactic": "command-and-control", "score": 4, "color": "", "comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1105", "tactic": "lateral-movement", "score": 4, "color": "", "comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1021", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "win_netsh_port_fwd_3389.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1018", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1091", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1091", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1014", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1085", "tactic": "defense-evasion", "score": 11, "color": "", "comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1085", "tactic": "execution", "score": 11, "color": "", "comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1178", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "win_susp_add_sid_history.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1198", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1198", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1184", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1053", "tactic": "execution", "score": 8, "color": "", "comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1053", "tactic": "persistence", "score": 8, "color": "", "comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1053", "tactic": "privilege-escalation", "score": 8, "color": "", "comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1029", "tactic": "exfiltration", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1113", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1180", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1064", "tactic": "defense-evasion", "score": 10, "color": "", "comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1064", "tactic": "execution", "score": 10, "color": "", "comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1063", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1101", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1167", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1035", "tactic": "execution", "score": 3, "color": "", "comment": "win_hack_smbexec.yml\nwin_tool_psexec.yml\nwin_psexesvc_start.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1058", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1058", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1166", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1166", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1051", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1023", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1218", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_mavinject_proc_inj.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1218", "tactic": "execution", "score": 1, "color": "", "comment": "win_mavinject_proc_inj.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1216", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1216", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1045", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1153", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1151", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1151", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1193", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1192", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1194", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1071", "tactic": "command-and-control", "score": 1, "color": "", "comment": "net_susp_dns_txt_exec_strings.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1032", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1095", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1165", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1165", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1169", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1206", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1195", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1019", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1082", "tactic": "discovery", "score": 1, "color": "", "comment": "win_susp_commands_recon_activity.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1016", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1049", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1033", "tactic": "discovery", "score": 1, "color": "", "comment": "win_susp_whoami.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1007", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1124", "tactic": "discovery", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1080", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1221", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1072", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1072", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1209", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1099", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "win_susp_time_modification.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1154", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1154", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1127", "tactic": "defense-evasion", "score": 2, "color": "", "comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1127", "tactic": "execution", "score": 2, "color": "", "comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1199", "tactic": "initial-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1111", "tactic": "credential-access", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1065", "tactic": "command-and-control", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1204", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1078", "tactic": "defense-evasion", "score": 6, "color": "", "comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1078", "tactic": "persistence", "score": 6, "color": "", "comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1078", "tactic": "privilege-escalation", "score": 6, "color": "", "comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1078", "tactic": "initial-access", "score": 6, "color": "", "comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1125", "tactic": "collection", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1102", "tactic": "command-and-control", "score": 3, "color": "", "comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1102", "tactic": "defense-evasion", "score": 3, "color": "", "comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1100", "tactic": "persistence", "score": 6, "color": "", "comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1100", "tactic": "privilege-escalation", "score": 6, "color": "", "comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1077", "tactic": "lateral-movement", "score": 5, "color": "", "comment": "apt_turla_commands.yml\nwin_admin_share_access.yml\nwin_hack_smbexec.yml\nwin_lm_namedpipe.yml\nwin_susp_psexec.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1047", "tactic": "execution", "score": 4, "color": "", "comment": "win_wmi_persistence.yml\nwin_bypass_squiblytwo.yml\nwin_susp_wmi_execution.yml\nwin_wmi_persistence_script_event_consumer.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1084", "tactic": "persistence", "score": 3, "color": "", "comment": "sysmon_wmi_event_subscription.yml\nsysmon_wmi_persistence_commandline_event_consumer.yml\nsysmon_wmi_persistence_script_event_consumer_write.yml", "enabled": true, "metadata": [] }, { "techniqueID": "T1028", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1028", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1004", "tactic": "persistence", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1220", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] }, { "techniqueID": "T1220", "tactic": "execution", "score": 0, "color": "", "comment": "", "enabled": true, "metadata": [] } ], "gradient": { "colors": [ "#ffffff", "#66b1ff" ], "minValue": 0, "maxValue": 2 }, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true }