Showing preview only (1,251K chars total). Download the full file or copy to clipboard to get everything.
Repository: krdmnbrk/AttackRuleMap
Branch: main
Commit: 0ebf21bde42b
Files: 29
Total size: 1.2 MB
Directory structure:
gitextract_wll2bghe/
├── .github/
│ └── workflows/
│ └── deploy.yml
├── .gitignore
├── AUTOMATION.md
├── LICENSE
├── README.md
├── attack_rule_map.json
├── automation/
│ ├── __init__.py
│ ├── atomic_handler.py
│ ├── config.py
│ ├── dependency_handler.py
│ ├── dynamic_generator.py
│ ├── escu_handler.py
│ ├── execution_handler.py
│ ├── main.py
│ ├── repo_manager.py
│ ├── report_handler.py
│ ├── sigma_handler.py
│ ├── splunk_handler.py
│ ├── utils.py
│ └── vm_handler.py
├── dist/
│ ├── _headers
│ ├── assets/
│ │ └── images/
│ │ └── favicon/
│ │ └── site.webmanifest
│ ├── attack_rule_map.json
│ ├── index.html
│ ├── metadata.json
│ ├── mitre_layer_combined.json
│ ├── mitre_layer_sigma.json
│ └── mitre_layer_splunk.json
└── requirements.txt
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/workflows/deploy.yml
================================================
name: Deploy to Netlify
on:
push:
branches:
- main # Only deploy when pushing to the main branch
paths:
- 'dist/**'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Deploy to Netlify
uses: nwtgck/actions-netlify@v3.0.0
with:
publish-dir: './dist'
production-deploy: true
env:
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
================================================
FILE: .gitignore
================================================
generator
.vscode
# Python virtual environment
venv/
.venv
# Local environment variables
.env
# Dependencies managed by the automation script
dependencies/
# Repos cloned by RepoManager (Sigma, ESCU, Atomic Red Team)
data/repos/
# Compiled files
__pycache__/
*.pyc
# Logs
*.log
================================================
FILE: AUTOMATION.md
================================================
# Automation & Dashboard — Technical Manual
This document describes the **Automation** and **Dashboard** capabilities added to AttackRuleMap. It is intended for Security Engineers and Detection Engineers who want to run Atomic Red Team tests, validate detections against Splunk and Sigma rules, and consume the resulting mapping via an HTML dashboard and MITRE ATT&CK® Navigator layers.
---
## 1. Overview
The automation module:
- **Executes** [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) tests (optionally on a Windows VM or Proxmox-managed lab).
- **Queries** Splunk for detection events using SPL derived from **Sigma** and **Splunk Security Content (ESCU)** rules.
- **Maps** each atomic test to which rules detected it, with time-bounded search to avoid cross-contamination between sequential tests.
- **Generates** a consolidated report (`attack_rule_map.json`) and an **HTML Dashboard** (`dist/index.html`) plus **MITRE ATT&CK® Navigator** layers for heatmap-style coverage visualization.
The focus is **validation**: confirming that your detection rules (Sigma/ESCU → Splunk) actually fire when the corresponding adversary techniques are executed, rather than relying on static mapping alone.
---
## 2. Architecture
| Phase | Component | Description |
|-------|-----------|-------------|
| **Execution** | Atomic Red Team | Runs atomic tests (e.g. PowerShell, registry, file operations) on a target—local or remote VM. Test IDs and atomics are discovered from the Atomic Red Team repo. |
| **Detection** | Splunk + Sigma / ESCU | Sigma rules are converted to SPL (pySigma); ESCU provides native SPL. The pipeline runs time-bounded Splunk searches to determine which rules detected each test. |
| **Mapping** | Deep Merge Logic | New results are merged into the existing report by `atomic_attack_guid`. Existing entries are not overwritten; their `sigma_rules` and `splunk_rules` lists are extended with new detections (no duplicate rule names). |
| **Visualization** | HTML Dashboard & MITRE Heatmap | `dist/index.html` loads `attack_rule_map.json` via AJAX and displays technique ↔ rule ↔ atomic test mappings. Navigator layers (`mitre_layer_sigma.json`, `mitre_layer_splunk.json`, `mitre_layer_combined.json`) show detection coverage per technique. |
Data flow: **Atomic execution** → **Splunk search (time window)** → **Detection result per rule** → **Report merge** → **JSON + MITRE layers** → **Dashboard**.
---
## 3. Setup & Installation
### 3.1 Python Dependencies
From the project root:
```bash
pip install -r requirements.txt
```
This installs (among others): `paramiko`, `PyYAML`, `python-dotenv`, `pySigma`, `pySigma-backend-splunk`, `splunk-sdk`.
### 3.2 Environment Configuration
1. Copy the example environment file:
```bash
cp .env.example .env
```
2. Edit `.env` with your values. At minimum, configure:
- **Splunk**: `SPLUNK_HOST`, `SPLUNK_PORT`, `SPLUNK_USERNAME`, `SPLUNK_PASSWORD` (or `SPLUNK_TOKEN`), and optionally `SPLUNK_SEARCH_INDEX`.
- **Execution** (if using a VM): `VM_HOST`, `VM_USERNAME`, `VM_PASSWORD`, `VM_SAFE_DIR`; or Proxmox-related variables if using snapshot-based VMs.
See `.env.example` for all variables and inline comments. Do not commit `.env` to version control.
### 3.3 Repositories (Sigma, ESCU, Atomic Red Team)
On first run with `--all` or when technique discovery is needed, the pipeline will clone (if missing) into `data/repos/` by default:
- Sigma (SigmaHQ/sigma)
- Splunk Security Content (splunk/security_content)
- Atomic Red Team (redcanaryco/atomic-red-team)
Paths can be overridden via `REPOS_BASE_PATH`, `SIGMA_REPO_PATH`, `ESCU_REPO_PATH`, `ATOMIC_RED_TEAM_REPO`, etc. in `.env`.
---
## 4. Usage
### 4.1 Main Automation
From the project root:
```bash
# Run all techniques defined in ATTACK_TIDS (config / .env)
python -m automation.main --all
# Run specific technique(s)
python -m automation.main --tid T1059.001 --tid T1087.001
# Verbose (DEBUG) logging
python -m automation.main -v --tid T1059.001
```
The pipeline will: run atomics, wait for indexing, query Splunk for each test’s time window, merge results into `dist/attack_rule_map.json`, and regenerate the MITRE Navigator layers.
### 4.2 Regenerating MITRE Layers Only
To regenerate only the MITRE ATT&CK Navigator layer files from an existing `attack_rule_map.json` (no test execution):
```bash
python -m automation.main --mitre-only
```
Use this after editing the report manually or when you only need updated heatmaps.
### 4.3 Report Merge (No Separate Script)
The pipeline does **not** ship a separate “recovery merge” script. Report updates are **incremental** and **deep-merged** on every run:
- If `dist/attack_rule_map.json` exists, new results are merged by `atomic_attack_guid`.
- For matching GUIDs, existing `sigma_rules` and `splunk_rules` are preserved and extended (by rule name, no duplicates).
- New tests are appended. Output is “ultra-lite” (detected rules with `rule_name` and `rule_link` only).
So each run both adds new data and preserves prior validations.
---
## 5. Dashboard Features
### 5.1 HTML Report (`dist/index.html`)
- **Location**: Open `dist/index.html` in a browser (or serve `dist/` with any static file server).
- **Data**: The page loads `attack_rule_map.json` via AJAX and optionally `metadata.json` for “Last updated” information.
- **Content**: Table and filters for MITRE technique, atomic test name, Sigma rules, and Splunk/ESCU rules that detected each test. Supports export and search typical of a DataTables-based UI.
### 5.2 MITRE ATT&CK® Navigator Integration
Three layer files are written under `dist/`:
| File | Description |
|------|-------------|
| `mitre_layer_sigma.json` | Coverage based on Sigma rule detections only. |
| `mitre_layer_splunk.json` | Coverage based on Splunk/ESCU rule detections only. |
| `mitre_layer_combined.json` | Coverage where either Sigma or Splunk detected the technique. |
Import these into [MITRE ATT&CK® Navigator](https://mitre-attack.github.io/attack-navigator/) to view heatmaps (e.g. by detection rate per technique). Scores and comments in the layer reflect test counts and detected counts.
### 5.3 Deep Merge Logic
- **Preserves history**: Existing report entries are never overwritten by a new run; rule lists are merged by `atomic_attack_guid` and by rule name.
- **Validation-centric**: The dashboard and layers reflect which rules have **actually** detected which tests in your environment, not just static rule–technique mappings.
---
## 6. Directory Structure
| Path | Purpose |
|------|---------|
| `automation/` | Python package: config, atomic discovery, Sigma/ESCU handling, Splunk queries, VM/execution, report merge, MITRE layer generation. |
| `dist/` | Output directory: `attack_rule_map.json`, `index.html`, `metadata.json`, MITRE layer JSONs, and static assets (CSS, JS, images) for the dashboard. |
| `data/repos/` | Default location for cloned Sigma, ESCU, and Atomic Red Team repositories (created on first run if using default `REPOS_BASE_PATH`). |
The project root also contains `requirements.txt`, `.env.example`, and the main `README.md`; the latter is unchanged and describes the original AttackRuleMap project.
---
## Summary
This automation provides an end-to-end **detection validation** workflow: run Atomic Red Team tests, verify which Sigma and Splunk rules fire in your environment, and consume the results via a JSON report, HTML dashboard, and MITRE ATT&CK Navigator layers. Configuration is driven by `.env`; see `.env.example` for all options.
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2024 Burak Karaduman
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: README.md
================================================
# AttackRuleMap
[](https://attackrulemap.com)
<img src="logo.png" alt="atomic red team, detection rules, attackrulemap.com" width="250">
This repository provides a mapping of Atomic Red Team attack simulations to open-source detection rules, such as Sigma and Splunk ESCU.
### [Go to AttackRuleMap](https://attackrulemap.com)
## 🎯 Project Purpose
The goal of this project is to bridge the gap between Atomic Red Team's adversary simulations and open-source detection rules. By doing so, this project aims to help security professionals simulate attacks and evaluate their detection strategies more effectively. 🔒
Aşağıda sadece **Project Origin** kısmını, Medium’daki katkıyı özetleyerek güncelledim. Diğer bölümler aynı kalacak şekilde kullanabilirsin.
## 🧬 Project Origin (Proof-of-Concept to Scalable Validation)
AttackRuleMap started as a hands-on lab simulation effort. In the initial phase, I:
- Executed Atomic Red Team tests
- Ran Sigma and Splunk ESCU detections
- Recorded which rules fired for which techniques
### Environment Setup (Initial Phase)
- Operating System: Windows Server 2019 (virtualized)
- Testing Tool: Atomic Red Team (PowerShell + manual adjustments where needed)
- Log Ingestion/Analysis: Splunk Enterprise
- Performance: Datamodel acceleration enabled to support multi-threaded searching
- Detection Rules: Sigma + Splunk ESCU
This approach produced the first mapping dataset and validated that detections could be tested against real adversary simulations.
> However, this process was partially manual and not scalable across the full MITRE ATT&CK matrix.
---
### 🚀 Scaling the Approach with Automation
To overcome these limitations, the project evolved with a community contribution, introducing an automated validation pipeline.
This extension transformed AttackRuleMap from a static mapping into a **continuous validation system** that:
- Automatically executes Atomic Red Team tests
- Queries detection rules within a controlled time window
- Correlates results to avoid false positives
- Generates updated mapping data and ATT&CK coverage layers
- Feeds a dynamic dashboard for visualization
With this approach, AttackRuleMap moves from **manual validation** to **evidence-based, repeatable detection testing at scale**.
> This evolution enables security teams to continuously validate detection coverage instead of relying on assumed effectiveness.
[Check post for automation details](https://emre-guler.medium.com/attackrulemap-scaling-the-bridge-between-detections-and-tests-via-automation-507f9c5c2b5a) by [@emregulerr](https://github.com/emregulerr)
## 🔄 Sigma Rule Conversion
To convert Sigma rules into Splunk Search Processing Language (SPL), I used the [sigconverter.io](https://sigconverter.io) locally on Docker. This tool simplifies the process of adapting Sigma rules for use in Splunk by automating the translation process. Users can specify the desired target platform, such as Splunk, Elastic, Kusto or any platform that supported by sigconverter, and the tool generates platform-specific queries based on Sigma's rule definitions.
## 🤝 Contribution
This project is open to contributions from the community. Here are some ways you can contribute:
- **Platform Testing:** Test and validate the detection rules on non-Windows platforms, such as Linux or macOS.
- **Feedback and Suggestions:** Share your ideas for improving the project or addressing potential gaps.
If you'd like to contribute, feel free to submit a pull request or open an issue. 💡
## Contributors
- [@Niicolaa](https://github.com/Niicolaa)
- [@emregulerr](https://github.com/emregulerr)
================================================
FILE: attack_rule_map.json
================================================
[{"tech_id":"T1046","atomic_attack_guid":"68e907da-2539-48f6-9fc9-257a78c05540","atomic_attack_name":"Port Scan","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Network Service Scanning","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"9d04efee-eff5-4240-b8d2-07792b873608","atomic_attack_name":"Packet Capture macOS using tcpdump or tshark","platform":"macOS","sigma_rules":[{"rule_name":"Network Sniffing - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml"}],"splunk_rules":[]},{"tech_id":"T1037.005","atomic_attack_guid":"10cf5bec-49dd-4ebf-8077-8f47e420096f","atomic_attack_name":"Add launch script to launch agent","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Scripting Interpreter AppleScript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"},{"rule_name":"Launch Agent/Daemon Execution Via Launchctl","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1037.005","atomic_attack_guid":"fc369906-90c7-4a15-86fd-d37da624dde6","atomic_attack_name":"Add launch script to launch daemon","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Scripting Interpreter AppleScript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"},{"rule_name":"Launch Agent/Daemon Execution Via Launchctl","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1033","atomic_attack_guid":"2a9b677d-a230-44f4-ad86-782df1ef108c","atomic_attack_name":"System Owner/User Discovery","platform":"macOS","sigma_rules":[{"rule_name":"System Network Connections Discovery - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1030","atomic_attack_guid":"ab936c51-10f4-46ce-9144-e02137b2016a","atomic_attack_name":"Data Transfer Size Limits","platform":"macOS","sigma_rules":[{"rule_name":"Split A File Into Pieces","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml"}],"splunk_rules":[]},{"tech_id":"T1027.001","atomic_attack_guid":"e22a9e89-69c7-410f-a473-e6c212cd2292","atomic_attack_name":"Pad Binary to Change Hash using truncate command - Linux/macOS","platform":"macOS","sigma_rules":[{"rule_name":"Binary Padding - MacOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"}],"splunk_rules":[]},{"tech_id":"T1027.001","atomic_attack_guid":"ffe2346c-abd5-4b45-a713-bf5f1ebd573a","atomic_attack_name":"Pad Binary to Change Hash - Linux/macOS dd","platform":"macOS","sigma_rules":[{"rule_name":"Binary Padding - MacOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"}],"splunk_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"f45df6be-2e1e-4136-a384-8f18ab3826fb","atomic_attack_name":"Decode base64 Data into Script","platform":"macOS","sigma_rules":[{"rule_name":"Decode Base64 Encoded Text -MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml"}],"splunk_rules":[]},{"tech_id":"T1021.005","atomic_attack_guid":"8a930abe-841c-4d4f-a877-72e9fe90b9ea","atomic_attack_name":"Enable Apple Remote Desktop Agent","platform":"macOS","sigma_rules":[{"rule_name":"System Information Discovery Using sw_vers","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml"},{"rule_name":"Local System Accounts Discovery - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_local_account.yml"},{"rule_name":"Launch Agent/Daemon Execution Via Launchctl","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"},{"rule_name":"Creation Of A Local User Account","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_create_account.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"96db2632-8417-4dbb-b8bb-a8b92ba391de","atomic_attack_name":"Remote System Discovery - sweep","platform":"macOS","sigma_rules":[{"rule_name":"Macos Remote System Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"acb6b1ff-e2ad-4d64-806c-6c35fe73b951","atomic_attack_name":"Remote System Discovery - arp nix","platform":"macOS","sigma_rules":[{"rule_name":"System Network Discovery - macOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml"},{"rule_name":"Macos Remote System Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"ff1d8c25-2aa4-4f18-a425-fede4a41ee88","atomic_attack_name":"List macOS Firewall Rules","platform":"macOS","sigma_rules":[{"rule_name":"System Network Discovery - macOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"c141bbdb-7fca-4254-9fd6-f47e79447e17","atomic_attack_name":"System Network Configuration Discovery","platform":"macOS","sigma_rules":[{"rule_name":"System Network Discovery - macOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml"},{"rule_name":"Macos Remote System Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml"},{"rule_name":"System Network Connections Discovery - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1005","atomic_attack_guid":"cfb6d400-a269-4c06-a347-6d88d584d5f7","atomic_attack_name":"Copy Apple Notes database files using AppleScript","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Scripting Interpreter AppleScript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"}],"splunk_rules":[]},{"tech_id":"T1003","atomic_attack_guid":"42510244-5019-48fa-a0e5-66c3b76e6049","atomic_attack_name":"Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)","platform":"Windows","sigma_rules":[{"rule_name":"Microsoft IIS Service Account Password Dumped","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml"}],"splunk_rules":[]},{"tech_id":"T1003","atomic_attack_guid":"84113186-ed3c-4d0d-8a3c-8980c86c1f4a","atomic_attack_name":"Dump Credential Manager using keymgr.dll and rundll32.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Key Manager Access","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1003","atomic_attack_guid":"0b207037-813c-4444-ac3f-b597cf280a67","atomic_attack_name":"Send NTLM Hash with RPC Test Connection","platform":"Windows","sigma_rules":[{"rule_name":"Capture Credentials with Rpcping.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"},{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"0be2230c-9ab3-4ac2-8826-3199b9a0ebf8","atomic_attack_name":"Dump LSASS.exe Memory using ProcDump","platform":"Windows","sigma_rules":[{"rule_name":"Renamed ProcDump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Potential LSASS Process Dump Via Procdump","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"},{"rule_name":"Procdump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"2536dee2-12fb-459a-8c37-971844fa73be","atomic_attack_name":"Dump LSASS.exe Memory using comsvcs.dll","platform":"Windows","sigma_rules":[{"rule_name":"Process Memory Dump Via Comsvcs.DLL","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"},{"rule_name":"PowerShell Get-Process LSASS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"PowerShell Get-Process LSASS in ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"dddd4aca-bbed-46f0-984d-e4c5971c51ea","atomic_attack_name":"Dump LSASS.exe Memory using NanoDump","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"453acf13-1dbd-47d7-b28a-172ce9228023","atomic_attack_name":"Offline Credential Theft With Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Operator Bloopers Cobalt Strike Commands","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"7cede33f-0acd-44ef-9774-15511300b24b","atomic_attack_name":"Create Mini Dump of LSASS.exe using ProcDump","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"},{"rule_name":"Procdump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"},{"rule_name":"Potential LSASS Process Dump Via Procdump","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"86fc3f40-237f-4701-b155-81c01c48d697","atomic_attack_name":"Dump LSASS.exe using imported Microsoft DLLs","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - XORDump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml"},{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"eb5adf16-b601-4926-bca7-dad22adffb37","atomic_attack_name":"Dump LSASS.exe Memory through Silent Process Exit","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.003","atomic_attack_guid":"2364e33d-ceab-4641-8468-bfb1d7cc2723","atomic_attack_name":"Dump Active Directory Database with NTDSUtil","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Process Patterns NTDS.DIT Exfil","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"}],"splunk_rules":[]},{"tech_id":"T1003.003","atomic_attack_guid":"542bb97e-da53-436b-8e43-e0a7d31a6c24","atomic_attack_name":"Create Volume Shadow Copy with Powershell","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"},{"rule_name":"Create Volume Shadow Copy with Powershell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1003.005","atomic_attack_guid":"56506854-89d6-46a3-9804-b7fde90791f9","atomic_attack_name":"Cached Credential Dump via Cmdkey","platform":"Windows","sigma_rules":[{"rule_name":"Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml"}],"splunk_rules":[]},{"tech_id":"T1003.006","atomic_attack_guid":"a0bced08-3fc5-4d8b-93b7-e8344739376e","atomic_attack_name":"Run DSInternals Get-ADReplAccount","platform":"Windows","sigma_rules":[{"rule_name":"DSInternals Suspicious PowerShell Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml"},{"rule_name":"Suspicious Get-ADReplAccount","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1007","atomic_attack_guid":"89676ba1-b1f8-47ee-b940-2e1a113ebc71","atomic_attack_name":"System Service Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1007","atomic_attack_guid":"5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3","atomic_attack_name":"System Service Discovery - net.exe","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"970ab6a1-0157-4f3f-9a73-ec4166754b23","atomic_attack_name":"System Network Configuration Discovery on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Network Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"dafaf052-5508-402d-bf77-51e0700c02e2","atomic_attack_name":"System Network Configuration Discovery (TrickBot Style)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Network Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml"},{"rule_name":"Potential Recon Activity Via Nltest.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"},{"rule_name":"Nltest.EXE Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1016.002","atomic_attack_guid":"53cf1903-0fa7-4177-ab14-f358ae809eec","atomic_attack_name":"Enumerate Stored Wi-Fi Profiles And Passwords via netsh","platform":"Windows","sigma_rules":[{"rule_name":"Harvesting Of Wifi Credentials Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"6db1f57f-d1d5-4223-8a66-55c9c65a9592","atomic_attack_name":"Remote System Discovery - ping sweep","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Scan Loop Network","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"64ede6ac-b57a-41c2-a7d1-32c6cd35397d","atomic_attack_name":"Enumerate Active Directory Computers with ADSISearcher","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[{"rule_name":"Remote System Discovery with Adsisearcher","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_system_discovery_with_adsisearcher.yml"}]},{"tech_id":"T1018","atomic_attack_guid":"b8147c9a-84db-4ec1-8eee-4e0da75f0de5","atomic_attack_name":"Enumerate Remote Hosts with Netscan","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1021.001","atomic_attack_guid":"74ace21e-a31c-4f7d-b540-53e4eb6d1f73","atomic_attack_name":"Changing RDP Port to Non Standard Port via Command_Prompt","platform":"Windows","sigma_rules":[{"rule_name":"New Firewall Rule Added Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml"},{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"},{"rule_name":"Publicly Accessible RDP Service","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml"}],"splunk_rules":[]},{"tech_id":"T1021.001","atomic_attack_guid":"01d1c6c0-faf0-408e-b368-752a02285cb2","atomic_attack_name":"Disable NLA for RDP via Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"},{"rule_name":"Publicly Accessible RDP Service","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml"}],"splunk_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"e2d85e66-cb66-4ed7-93b1-833fc56c9319","atomic_attack_name":"DLP Evasion via Sensitive Data in VBA Macro over HTTP","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"fad04df1-5229-4185-b016-fb6010cd87ac","atomic_attack_name":"Execution from Compressed JScript File","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1033","atomic_attack_guid":"4c4959bf-addf-4b4a-be86-8d09cc1857aa","atomic_attack_name":"System Owner/User Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Recon Command Output Piped To Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"},{"rule_name":"Whoami.EXE Execution With Output Option","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml"},{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}]},{"tech_id":"T1036.003","atomic_attack_guid":"5ba5a3d1-cf3c-4499-968a-a93155d1f717","atomic_attack_name":"Masquerading as Windows LSASS process","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Binary Rename","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"3a2a578b-0a01-46e4-92e3-62e2859b42f0","atomic_attack_name":"Masquerading - cscript.exe running as notepad.exe","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Rename Of Highly Relevant Binaries","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa","atomic_attack_name":"Masquerading - powershell.exe running as taskhostw.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Rename Of Highly Relevant Binaries","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"83810c46-f45e-4485-9ab6-8ed0e9e6ed7f","atomic_attack_name":"Malicious process Masquerading as LSM.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Binary Rename","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml"}],"splunk_rules":[]},{"tech_id":"T1036.004","atomic_attack_guid":"b721c6ef-472c-4263-a0d9-37f1f4ecff66","atomic_attack_name":"Creating W32Time similar named service using sc","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[]},{"tech_id":"T1036.007","atomic_attack_guid":"c7fa0c3b-b57f-4cba-9118-863bf4e653fc","atomic_attack_name":"File Extension Masquerading","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Suspicious Double Extension Files","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1037.001","atomic_attack_guid":"d6042746-07d4-4c92-9ad8-e644c114a231","atomic_attack_name":"Logon Scripts","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Via Logon Scripts - CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Potential Persistence Via Logon Scripts - Registry","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml"}],"splunk_rules":[]},{"tech_id":"T1039","atomic_attack_guid":"6ed67921-1774-44ba-bac6-adb51ed60660","atomic_attack_name":"Copy a sensitive File over Administrative share with copy","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"}],"splunk_rules":[]},{"tech_id":"T1039","atomic_attack_guid":"7762e120-5879-44ff-97f8-008b401b9a98","atomic_attack_name":"Copy a sensitive File over Administrative share with Powershell","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"b5656f67-d67f-4de8-8e62-b5581630f528","atomic_attack_name":"Windows Internal Packet Capture","platform":"Windows","sigma_rules":[{"rule_name":"New Network Trace Capture Started Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"855fb8b4-b8ab-4785-ae77-09f5df7bff55","atomic_attack_name":"Windows Internal pktmon set filter","platform":"Windows","sigma_rules":[{"rule_name":"PktMon.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1047","atomic_attack_guid":"5750aa16-0e59-4410-8b9a-8a47ca2788e2","atomic_attack_name":"WMI Reconnaissance Processes","platform":"Windows","sigma_rules":[{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"}],"splunk_rules":[]},{"tech_id":"T1047","atomic_attack_guid":"718aebaa-d0e0-471a-8241-c5afa69c7414","atomic_attack_name":"WMI Reconnaissance Software","platform":"Windows","sigma_rules":[{"rule_name":"Windows Hotfix Updates Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml"}],"splunk_rules":[]},{"tech_id":"T1053.002","atomic_attack_guid":"4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8","atomic_attack_name":"At.exe Scheduled task","platform":"Windows","sigma_rules":[{"rule_name":"Interactive AT Job","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1053.005","atomic_attack_guid":"42f53695-ad4a-4546-abb6-7d837f644a71","atomic_attack_name":"Scheduled task Local","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Schtasks Schedule Types","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","atomic_attack_guid":"e895677d-4f06-49ab-91b6-ae3742d0a2ba","atomic_attack_name":"Scheduled Task Executing Base64 Encoded Commands From Registry","platform":"Windows","sigma_rules":[{"rule_name":"Scheduled Task Executing Encoded Payload from Registry","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Command Patterns In Scheduled Task Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1055","atomic_attack_guid":"3203ad24-168e-4bec-be36-f79b13ef8a83","atomic_attack_name":"Remote Process Injection in LSASS via mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[]},{"tech_id":"T1055","atomic_attack_guid":"2871ed59-3837-4a52-9107-99500ebc87cb","atomic_attack_name":"Process Injection with Go using CreateThread WinAPI","platform":"Windows","sigma_rules":[{"rule_name":"Potential WinAPI Calls Via CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml"}],"splunk_rules":[]},{"tech_id":"T1055","atomic_attack_guid":"2a3c7035-d14f-467a-af94-933e49fe6786","atomic_attack_name":"Process Injection with Go using CreateThread WinAPI (Natively)","platform":"Windows","sigma_rules":[{"rule_name":"Potential WinAPI Calls Via CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml"}],"splunk_rules":[]},{"tech_id":"T1056.001","atomic_attack_guid":"d9b633ca-8efb-45e6-b838-70f595c6ae26","atomic_attack_name":"Input Capture","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"Powershell Keylogging","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml"}],"splunk_rules":[]},{"tech_id":"T1056.004","atomic_attack_guid":"de1934ea-1fbf-425b-8795-65fb27dd7e33","atomic_attack_name":"Hook PowerShell TLS Encrypt/Decrypt Messages","platform":"Windows","sigma_rules":[{"rule_name":"Mavinject Inject DLL Into Running Process","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"}],"splunk_rules":[]},{"tech_id":"T1057","atomic_attack_guid":"c5806a4f-62b8-4900-980b-c7ec004e9908","atomic_attack_name":"Process Discovery - tasklist","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1057","atomic_attack_guid":"640cbf6d-659b-498b-ba53-f6dd1a1cc02c","atomic_attack_name":"Process Discovery - wmic process","platform":"Windows","sigma_rules":[{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"}],"splunk_rules":[]},{"tech_id":"T1057","atomic_attack_guid":"11ba69ee-902e-4a0f-b3b6-418aed7d7ddb","atomic_attack_name":"Discover Specific Process - tasklist","platform":"Windows","sigma_rules":[{"rule_name":"LSASS Process Reconnaissance Via Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml"},{"rule_name":"Recon Command Output Piped To Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"},{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1059.001","atomic_attack_guid":"af1800cf-9f9d-4fd1-a709-14b1e6de020d","atomic_attack_name":"Mimikatz - Cradlecraft PsSendKeys","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Keywords","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml"},{"rule_name":"Malicious PowerShell Scripts - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Potential PowerShell Command Line Obfuscation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Windows PowerShell Script Block With Malicious String","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml"},{"rule_name":"Detect Mimikatz With PowerShell Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"a538de64-1c74-46ed-aa60-b995ed302598","atomic_attack_name":"PowerShell Command Execution","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"49eb9404-5e0f-4031-a179-b40f7be385e3","atomic_attack_name":"PowerShell Invoke Known Malicious Cmdlets","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Keywords","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.003","atomic_attack_guid":"127b4afe-2346-4192-815c-69042bec570e","atomic_attack_name":"Writes text to a file and displays it.","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1059.003","atomic_attack_guid":"df81db1b-066c-4802-9bc8-b6d030c3ba8e","atomic_attack_name":"Command Prompt read contents from CMD file and execute","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"}],"splunk_rules":[]},{"tech_id":"T1059.003","atomic_attack_guid":"00682c9f-7df4-4df8-950b-6dcaaa3ad9af","atomic_attack_name":"Command prompt writing script to file then executes it","platform":"Windows","sigma_rules":[{"rule_name":"Whoami.EXE Execution With Output Option","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml"}],"splunk_rules":[]},{"tech_id":"T1059.005","atomic_attack_guid":"1620de42-160a-4fe5-bbaf-d3fef0181ce9","atomic_attack_name":"Visual Basic script execution to gather local computer information","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Registry Tampering by Potentially Suspicious Processes","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml"}],"splunk_rules":[]},{"tech_id":"T1059.007","atomic_attack_guid":"01d75adf-ca1b-4dd1-ac96-7c9550ad1035","atomic_attack_name":"JScript execution to gather local computer information via cscript","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1059.007","atomic_attack_guid":"0709945e-4fec-4c49-9faf-c3c292a74484","atomic_attack_name":"JScript execution to gather local computer information via wscript","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1069.002","atomic_attack_guid":"9f4e344b-8434-41b3-85b1-d38f29d148d0","atomic_attack_name":"Enumerate Active Directory Groups with ADSISearcher","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1070","atomic_attack_guid":"b4115c7a-0e92-47f0-a61e-17e7218b2435","atomic_attack_name":"Indicator Removal using FSUtil","platform":"Windows","sigma_rules":[{"rule_name":"Fsutil Suspicious Invocation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"}],"splunk_rules":[]},{"tech_id":"T1070.001","atomic_attack_guid":"e6abb60e-26b8-41da-8aae-0c35174b0967","atomic_attack_name":"Clear Logs","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Eventlog Clearing or Configuration Change Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","atomic_attack_guid":"861ea0b4-708a-4d17-848d-186c9c7f17e3","atomic_attack_name":"Delete a single file - Windows cmd","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","atomic_attack_guid":"36f96049-0ad7-4a5f-8418-460acaeb92fb","atomic_attack_name":"Delete Prefetch File","platform":"Windows","sigma_rules":[{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"},{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.005","atomic_attack_guid":"14c38f32-6509-46d8-ab43-d53e32d2b131","atomic_attack_name":"Add Network Share","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1070.005","atomic_attack_guid":"09210ad5-1ef2-4077-9ad3-7351e13e9222","atomic_attack_name":"Remove Network Share","platform":"Windows","sigma_rules":[{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"},{"rule_name":"Unmount Share Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml"},{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1071.001","atomic_attack_guid":"dc3488b0-08c7-4fea-b585-905c83b48180","atomic_attack_name":"Malicious User Agents - CMD","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"}],"splunk_rules":[]},{"tech_id":"T1074.001","atomic_attack_guid":"107706a5-6f9f-451a-adae-bab8c667829f","atomic_attack_name":"Stage data from Discovery.bat","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1074.001","atomic_attack_guid":"a57fbe4b-3440-452a-88a7-943531ac872a","atomic_attack_name":"Zip a Folder with PowerShell for Staging in Temp","platform":"Windows","sigma_rules":[{"rule_name":"Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml"},{"rule_name":"Zip A Folder With PowerShell For Staging In Temp - PowerShell Script","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml"}],"splunk_rules":[]},{"tech_id":"T1078.001","atomic_attack_guid":"99747561-ed8d-47f2-9c91-1e5fde1ed6e0","atomic_attack_name":"Enable Guest account with RDP capability and admin privileges","platform":"Windows","sigma_rules":[{"rule_name":"User Added to Local Administrators Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml"},{"rule_name":"User Added to Remote Desktop Users Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml"},{"rule_name":"Weak or Abused Passwords In CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"}],"splunk_rules":[]},{"tech_id":"T1078.003","atomic_attack_guid":"a524ce99-86de-4db6-b4f9-e08f35a47a15","atomic_attack_name":"Create local account with admin privileges","platform":"Windows","sigma_rules":[{"rule_name":"User Added to Local Administrators Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"66703791-c902-4560-8770-42b8a91f7667","atomic_attack_name":"System Information Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Potential Configuration And Service Reconnaissance Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml"},{"rule_name":"Suspicious Execution of Systeminfo","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"224b4daf-db44-404e-b6b2-f4d1f0126ef8","atomic_attack_name":"Windows MachineGUID Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Query of MachineGUID","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"69bd4abe-8759-49a6-8d21-0f15822d6370","atomic_attack_name":"Griffon Recon","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"4060ee98-01ae-4c8e-8aad-af8300519cc7","atomic_attack_name":"System Information Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml"},{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potential Reconnaissance Activity Via GatherNetworkInfo.VBS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml"},{"rule_name":"Suspicious Execution of Systeminfo","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1083","atomic_attack_guid":"0e36303b-6762-4500-b003-127743b80ba6","atomic_attack_name":"File and Directory Discovery (cmd.exe)","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"95018438-454a-468c-a0fa-59c800149b59","atomic_attack_name":"Automated AD Recon (ADRecon)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"736b4f53-f400-4c22-855d-1a6b5a551600","atomic_attack_name":"Adfind -Listing password policy","platform":"Windows","sigma_rules":[{"rule_name":"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"b95fd967-4e62-4109-b48d-265edfd28c3a","atomic_attack_name":"Adfind - Enumerate Active Directory Admins","platform":"Windows","sigma_rules":[{"rule_name":"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"5e2938fb-f919-47b6-8b29-2f6a1f718e99","atomic_attack_name":"Adfind - Enumerate Active Directory Exchange AD Objects","platform":"Windows","sigma_rules":[{"rule_name":"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"02e8be5a-3065-4e54-8cc8-a14d138834d3","atomic_attack_name":"Enumerate Active Directory Users with ADSISearcher","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"7ab0205a-34e4-4a44-9b04-e1541d1a57be","atomic_attack_name":"Enumerate Linked Policies In ADSISearcher Discovery","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1090.001","atomic_attack_guid":"b8223ea9-4be2-44a6-b50a-9657a3d4e72a","atomic_attack_name":"portproxy reg key","platform":"Windows","sigma_rules":[{"rule_name":"New Port Forwarding Rule Added Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"2ca61766-b456-4fcf-a35a-1233685e1cad","atomic_attack_name":"OSTAP Worming Activity","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"fa5a2759-41d7-4e13-a19c-e8f28a53566f","atomic_attack_name":"svchost writing a file to a UNC path","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"815bef8b-bf91-4b67-be4c-abe4c2a94ccc","atomic_attack_name":"Download a File with Windows Defender MpCmdRun.exe","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"File Download Via Windows Defender MpCmpRun.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"5f507e45-8411-4f99-84e7-e38530c45d01","atomic_attack_name":"File download with finger.exe on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Finger.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"1a02df58-09af-4064-a765-0babe1a0d1e2","atomic_attack_name":"Download a file with IMEWDBLD.exe","platform":"Windows","sigma_rules":[{"rule_name":"Arbitrary File Download Via IMEWDBLD.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"49845fc1-7961-4590-a0f0-3dbcf065ae7e","atomic_attack_name":"Printer Migration Command-Line Tool UNC share folder into a zip file","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"PrintBrm ZIP Creation of Extraction","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"54782d65-12f0-47a5-b4c1-b70ee23de6df","atomic_attack_name":"Lolbas replace.exe use to copy file","platform":"Windows","sigma_rules":[{"rule_name":"Replace.exe Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"ed0335ac-0354-400c-8148-f6151d20035a","atomic_attack_name":"Lolbas replace.exe use to copy UNC file","platform":"Windows","sigma_rules":[{"rule_name":"Replace.exe Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"6fdaae87-c05b-42f8-842e-991a74e8376b","atomic_attack_name":"certreq download","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Certreq Command to Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"Suspicious CertReq Command to Download","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certreq_download.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"97116a3f-efac-4b26-8336-b9cb18c45188","atomic_attack_name":"Download a file using wscript","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"c01cad7f-7a4c-49df-985e-b190dcf6a279","atomic_attack_name":"iwr or Invoke Web-Request download","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1110.001","atomic_attack_guid":"59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4","atomic_attack_name":"Password Brute User using Kerbrute Tool","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"282f929a-6bc5-42b8-bd93-960c3ba35afe","atomic_attack_name":"Modify Registry of Local Machine - cmd","platform":"Windows","sigma_rules":[{"rule_name":"Direct Autorun Keys Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml"},{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c0413fb5-33e2-40b7-9b6f-60b29f4a7a18","atomic_attack_name":"Modify registry to store logon credentials","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"95b25212-91a7-42ff-9613-124aca6845a8","atomic_attack_name":"Windows Powershell Logging Disabled","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5","atomic_attack_name":"Windows Add Registry Value to Load Service in Safe Mode without Network","platform":"Windows","sigma_rules":[{"rule_name":"Add SafeBoot Keys Via Reg Utility","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c173c948-65e5-499c-afbe-433722ed5bd4","atomic_attack_name":"Windows Add Registry Value to Load Service in Safe Mode with Network","platform":"Windows","sigma_rules":[{"rule_name":"Add SafeBoot Keys Via Reg Utility","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c30dada3-7777-4590-b970-dc890b8cf113","atomic_attack_name":"Suppress Win Defender Notifications","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"65704cd4-6e36-4b90-b6c1-dc29a82c8e56","atomic_attack_name":"NetWire RAT Registry Key Creation","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c375558d-7c25-45e9-bd64-7b23a97c1db0","atomic_attack_name":"Ursnif Malware Registry Key Creation","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"d2c9e41e-cd86-473d-980d-b6403562e3e1","atomic_attack_name":"Disable Windows Error Reporting Settings","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"35727d9e-7a7f-4d0c-a259-dc3906d6e8b9","atomic_attack_name":"Mimic Ransomware - Allow Multiple RDP Sessions per User","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"e3ad8e83-3089-49ff-817f-e52f8c948090","atomic_attack_name":"Enabling Remote Desktop Protocol via Remote Registry","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"3b625eaa-c10d-4635-af96-3eae7d2a2f3c","atomic_attack_name":"Tamper Win Defender Protection","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c88ef166-50fa-40d5-a80c-e2b87d4180f7","atomic_attack_name":"Modify Internet Zone Protocol Defaults in Current User Registry - cmd","platform":"Windows","sigma_rules":[{"rule_name":"IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"ffeddced-bb9f-49c6-97f0-3d07a509bf94","atomic_attack_name":"Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"16bdbe52-371c-4ccf-b708-79fba61f1db4","atomic_attack_name":"Enable RDP via Registry (fDenyTSConnections)","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"5f8e36de-37ca-455e-b054-a2584f043c06","atomic_attack_name":"Disable Windows Remote Desktop Protocol","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"26fc7375-a551-4336-90d7-3f2817564304","atomic_attack_name":"Requires the BitLocker PIN for Pre-boot authentication","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"bacb3e73-8161-43a9-8204-a69fe0e4b482","atomic_attack_name":"Modify EnableBDEWithNoTPM Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"10b33fb0-c58b-44cd-8599-b6da5ad6384c","atomic_attack_name":"Modify UseTPMPIN Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c8480c83-a932-446e-a919-06a1fd1e512a","atomic_attack_name":"Modify UseTPMKey Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"02d8b9f7-1a51-4011-8901-2d55cca667f9","atomic_attack_name":"Modify UseTPMKeyPIN Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1113","atomic_attack_guid":"5a496325-0115-4274-8eb9-755b649ad0fb","atomic_attack_name":"Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Windows Recall Feature Enabled Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml"}],"splunk_rules":[]},{"tech_id":"T1115","atomic_attack_guid":"0cd14633-58d4-4422-9ede-daa2c9474ae7","atomic_attack_name":"Utilize Clipboard to store or execute commands from","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"PowerShell Get Clipboard","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml"},{"rule_name":"Data Copied To Clipboard Via Clip.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1119","atomic_attack_guid":"cb379146-53f1-43e0-b884-7ce2c635ff5b","atomic_attack_name":"Automated Collection Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Automated Collection Command Prompt","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1119","atomic_attack_guid":"aa1180e2-f329-4e1e-8625-2472ec0bfaf3","atomic_attack_name":"Recon information for export with Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1120","atomic_attack_guid":"424e18fd-48b8-4201-8d3a-bf591523a686","atomic_attack_name":"Peripheral Device Discovery via fsutil","platform":"Windows","sigma_rules":[{"rule_name":"Fsutil Drive Enumeration","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml"}],"splunk_rules":[]},{"tech_id":"T1123","atomic_attack_guid":"9c3ad250-b185-4444-b5a9-d69218a10c95","atomic_attack_name":"using device audio capture commandlet","platform":"Windows","sigma_rules":[{"rule_name":"Audio Capture via PowerShell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml"}],"splunk_rules":[]},{"tech_id":"T1124","atomic_attack_guid":"20aba24b-e61f-4b26-b4ce-4784f763ca20","atomic_attack_name":"System Time Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"},{"rule_name":"Discovery of a System Time","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1127","atomic_attack_guid":"1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8","atomic_attack_name":"Lolbin Jsc.exe compile javascript to exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"JScript Compiler Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1127","atomic_attack_guid":"3fc9fea2-871d-414d-8ef6-02e85e322b80","atomic_attack_name":"Lolbin Jsc.exe compile javascript to dll","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"JScript Compiler Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1134.004","atomic_attack_guid":"cbbff285-9051-444a-9d17-c07cd2d230eb","atomic_attack_name":"Parent PID Spoofing - Spawn from Specified Process","platform":"Windows","sigma_rules":[{"rule_name":"Weak or Abused Passwords In CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"}],"splunk_rules":[]},{"tech_id":"T1135","atomic_attack_guid":"20f1097d-81c1-405c-8380-32174d493bbb","atomic_attack_name":"Network Share Discovery command prompt","platform":"Windows","sigma_rules":[{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"}],"splunk_rules":[]},{"tech_id":"T1135","atomic_attack_guid":"ab39a04f-0c93-4540-9ff2-83f862c385ae","atomic_attack_name":"View available share drives","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1135","atomic_attack_guid":"d07e4cc1-98ae-447e-9d31-36cb430d28c4","atomic_attack_name":"PowerView ShareFinder","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Import New Module Via PowerShell CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"}],"splunk_rules":[]},{"tech_id":"T1137","atomic_attack_guid":"bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c","atomic_attack_name":"Office Application Startup - Outlook as a C2","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1140","atomic_attack_guid":"dc6fe391-69e6-4506-bd06-ea5eeb4082f8","atomic_attack_name":"Deobfuscate/Decode Files Or Information","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1140","atomic_attack_guid":"71abc534-3c05-4d0c-80f7-cbe93cb2aa94","atomic_attack_name":"Certutil Rename and Decode","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1187","atomic_attack_guid":"485ce873-2e65-4706-9c7e-ae3ab9e14213","atomic_attack_name":"PetitPotam","platform":"Windows","sigma_rules":[{"rule_name":"Potential SMB Relay Attack Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml"}],"splunk_rules":[]},{"tech_id":"T1187","atomic_attack_guid":"81cfdd7f-1f41-4cc5-9845-bb5149438e37","atomic_attack_name":"Trigger an authenticated RPC call to a target server with no Sign flag set","platform":"Windows","sigma_rules":[{"rule_name":"Capture Credentials with Rpcping.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"},{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"}],"splunk_rules":[]},{"tech_id":"T1201","atomic_attack_guid":"4588d243-f24e-4549-b2e3-e627acc089f6","atomic_attack_name":"Examine local password policy - Windows","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1201","atomic_attack_guid":"510cc97f-56ac-4cd3-a198-d3218c23d889","atomic_attack_name":"Use of SecEdit.exe to export the local security policy (including the password policy)","platform":"Windows","sigma_rules":[{"rule_name":"Potential Suspicious Activity Using SeCEdit","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1202","atomic_attack_guid":"cecfea7a-5f03-4cdd-8bc8-6f7c22862440","atomic_attack_name":"Indirect Command Execution - pcalua.exe","platform":"Windows","sigma_rules":[{"rule_name":"Use of Pcalua For Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml"}],"splunk_rules":[]},{"tech_id":"T1202","atomic_attack_guid":"8b34a448-40d9-4fc3-a8c8-4bb286faf7dc","atomic_attack_name":"Indirect Command Execution - forfiles.exe","platform":"Windows","sigma_rules":[{"rule_name":"Forfiles Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml"}],"splunk_rules":[]},{"tech_id":"T1202","atomic_attack_guid":"0fd14730-6226-4f5e-8d67-43c65f1be940","atomic_attack_name":"Indirect Command Execution - Scriptrunner.exe","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Use of Scriptrunner.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml"}],"splunk_rules":[]},{"tech_id":"T1204.002","atomic_attack_guid":"3f3af983-118a-4fa1-85d3-ba4daa739d80","atomic_attack_name":"OSTap Payload Download","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1204.002","atomic_attack_guid":"02f35d62-9fdc-4a97-b899-a5d9a876d295","atomic_attack_name":"Potentially Unwanted Applications (PUA)","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1204.002","atomic_attack_guid":"581d7521-9c4b-420e-9695-2aec5241167f","atomic_attack_name":"LNK Payload Download","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1216","atomic_attack_guid":"2a8f2d3c-3dec-4262-99dd-150cb2a4d63a","atomic_attack_name":"manage-bde.wsf Signed Script Command Execution","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1216.001","atomic_attack_guid":"9dd29a1f-1e16-4862-be83-913b10a88f6c","atomic_attack_name":"PubPrn.vbs Signed Script Bypass","platform":"Windows","sigma_rules":[{"rule_name":"Pubprn.vbs Proxy Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml"},{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1217","atomic_attack_guid":"76f71e2f-480e-4bed-b61e-398fe17499d5","atomic_attack_name":"List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Where Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml"}],"splunk_rules":[]},{"tech_id":"T1217","atomic_attack_guid":"4312cdbc-79fc-4a9c-becc-53d49c734bc5","atomic_attack_name":"List Mozilla Firefox bookmarks on Windows with command prompt","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Where Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml"}],"splunk_rules":[]},{"tech_id":"T1217","atomic_attack_guid":"727dbcdb-e495-4ab1-a6c4-80c7f77aef85","atomic_attack_name":"List Internet Explorer Bookmarks using the command prompt","platform":"Windows","sigma_rules":[{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"ad2c17ed-f626-4061-b21e-b9804a6f3655","atomic_attack_name":"Register-CimProvider - Execute evil dll","platform":"Windows","sigma_rules":[{"rule_name":"DLL Execution Via Register-cimprovider.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"54ad7d5a-a1b5-472c-b6c4-f8090fb2daef","atomic_attack_name":"InfDefaultInstall.exe .inf Execution","platform":"Windows","sigma_rules":[{"rule_name":"InfDefaultInstall.exe .inf Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"7cbb0f26-a4c1-4f77-b180-a009aa05637e","atomic_attack_name":"Microsoft.Workflow.Compiler.exe Payload Execution","platform":"Windows","sigma_rules":[{"rule_name":"Microsoft Workflow Compiler Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"9ebe7901-7edf-45c0-b5c7-8366300919db","atomic_attack_name":"Invoke-ATHRemoteFXvGPUDisablementCommand base test","platform":"Windows","sigma_rules":[{"rule_name":"RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"49fbd548-49e9-4bb7-94a6-3769613912b8","atomic_attack_name":"Load Arbitrary DLL via Wuauclt (Windows Update Client)","platform":"Windows","sigma_rules":[{"rule_name":"Proxy Execution Via Wuauclt.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"5bcda9cd-8e85-48fa-861d-b5a85d91d48c","atomic_attack_name":"Lolbin Gpscript logon option","platform":"Windows","sigma_rules":[{"rule_name":"Gpscript Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"f8da74bb-21b8-4af9-8d84-f2c8e4a220e3","atomic_attack_name":"Lolbin Gpscript startup option","platform":"Windows","sigma_rules":[{"rule_name":"Gpscript Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"13c0804e-615e-43ad-b223-2dfbacd0b0b3","atomic_attack_name":"Lolbas ie4uinit.exe use as proxy","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"},{"rule_name":"Ie4uinit Lolbin Use From Invalid Path","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"ab76e34f-28bf-441f-a39c-8db4835b89cc","atomic_attack_name":"Provlaunch.exe Executes Arbitrary Command via Registry Key","platform":"Windows","sigma_rules":[{"rule_name":"Potential Provisioning Registry Key Abuse For Binary Proxy Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"7816c252-b728-4ea6-a683-bd9441ca0b71","atomic_attack_name":"System Binary Proxy Execution - Wlrmdr Lolbin","platform":"Windows","sigma_rules":[{"rule_name":"Wlrmdr.EXE Uncommon Argument Or Child Process","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218.003","atomic_attack_guid":"34e63321-9683-496b-bbc1-7566bc55e624","atomic_attack_name":"CMSTP Executing Remote Scriptlet","platform":"Windows","sigma_rules":[{"rule_name":"Bypass UAC via CMSTP","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"}],"splunk_rules":[]},{"tech_id":"T1218.003","atomic_attack_guid":"748cb4f6-2fb3-4e97-b7ad-b22635a09ab0","atomic_attack_name":"CMSTP Executing UAC Bypass","platform":"Windows","sigma_rules":[{"rule_name":"Bypass UAC via CMSTP","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"},{"rule_name":"CMSTP Execution Registry Event","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml"}],"splunk_rules":[]},{"tech_id":"T1218.005","atomic_attack_guid":"1483fab9-4f52-4217-a9ce-daa9d7747cae","atomic_attack_name":"Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject","platform":"Windows","sigma_rules":[{"rule_name":"Remotely Hosted HTA File Executed Via Mshta.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml"},{"rule_name":"Suspicious JavaScript Execution Via Mshta.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml"}],"splunk_rules":[]},{"tech_id":"T1218.005","atomic_attack_guid":"906865c3-e05f-4acc-85c4-fbc185455095","atomic_attack_name":"Mshta executes VBScript to execute malicious command","platform":"Windows","sigma_rules":[{"rule_name":"MSHTA Suspicious Execution 01","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"},{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"MSHTA Execution with Suspicious File Extensions","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218.005","atomic_attack_guid":"8707a805-2b76-4f32-b1c0-14e558205772","atomic_attack_name":"Mshta used to Execute PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"},{"rule_name":"MSHTA Suspicious Execution 01","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"},{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"MSHTA Execution with Suspicious File Extensions","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with embedded JScript","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"8d73c7b0-c2b1-4ac1-881a-4aa644f76064","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with embedded VBScript","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"628fa796-76c5-44c3-93aa-b9d8214fd568","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with an embedded DLL","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"ed3fa08a-ca18-4009-973e-03d13014d0e8","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with an embedded EXE","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.010","atomic_attack_guid":"9d71c492-ea2e-4c08-af16-c6994cdf029f","atomic_attack_name":"Regsvr32 Silent DLL Install Call DllRegisterServer","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Regsvr32 Execution From Highly Suspicious Location","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"57ba4ce9-ee7a-4f27-9928-3c70c489b59d","atomic_attack_name":"Rundll32 execute JavaScript Remote Payload With GetObject","platform":"Windows","sigma_rules":[{"rule_name":"Mshtml.DLL RunHTMLApplication Suspicious Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[{"rule_name":"Rundll32 DNSQuery","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/network/rundll32_dnsquery.yml"}]},{"tech_id":"T1218.011","atomic_attack_guid":"638730e7-7aed-43dc-bf8c-8117f805f5bb","atomic_attack_name":"Rundll32 execute VBscript command","platform":"Windows","sigma_rules":[{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"Mshtml.DLL RunHTMLApplication Suspicious Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"22cfde89-befe-4e15-9753-47306b37a6e3","atomic_attack_name":"Execution of HTA and VBS Files using Rundll32 and URL.dll","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"9f5d081a-ee5a-42f9-a04e-b7bdc487e676","atomic_attack_name":"Launches an executable using Rundll32 and pcwutl.dll","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"rule_name":"Code Execution via Pcwutl.dll","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"83a95136-a496-423c-81d3-1c6750133917","atomic_attack_name":"Rundll32 with desk.cpl","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Rundll32 InstallScreenSaver Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"},{"rule_name":"SCR File Write Event","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"2d5029f0-ae20-446f-8811-e7511b58e8b6","atomic_attack_name":"Running DLL with .init extension and function","platform":"Windows","sigma_rules":[{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8","atomic_attack_name":"Rundll32 execute command via FileProtocolHandler","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"8a7f56ee-10e7-444c-a139-0109438288eb","atomic_attack_name":"Rundll32 execute payload by calling RouteTheCall","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"}],"splunk_rules":[]},{"tech_id":"T1220","atomic_attack_guid":"1b237334-3e21-4a0c-8178-b8c996124988","atomic_attack_name":"WMIC bypass using local XSL file","platform":"Windows","sigma_rules":[{"rule_name":"XSL Script Execution Via WMIC.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml"},{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"}],"splunk_rules":[]},{"tech_id":"T1220","atomic_attack_guid":"7f5be499-33be-4129-a560-66021f379b9b","atomic_attack_name":"WMIC bypass using remote XSL file","platform":"Windows","sigma_rules":[{"rule_name":"XSL Script Execution Via WMIC.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml"},{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"},{"rule_name":"Potential Remote SquiblyTwo Technique Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"}],"splunk_rules":[]},{"tech_id":"T1222","atomic_attack_guid":"6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02","atomic_attack_name":"Enable Local and Remote Symbolic Links via fsutil","platform":"Windows","sigma_rules":[{"rule_name":"Fsutil Behavior Set SymlinkEvaluation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"98d34bb4-6e75-42ad-9c41-1dae7dc6a001","atomic_attack_name":"Take ownership using takeown utility","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Recursive Takeown","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml"},{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"a8206bcc-f282-40a9-a389-05d9c0263485","atomic_attack_name":"cacls - Grant permission to specified user or group recursively","platform":"Windows","sigma_rules":[{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"bec1e95c-83aa-492e-ab77-60c71bbd21b0","atomic_attack_name":"attrib - Remove read-only attribute","platform":"Windows","sigma_rules":[{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"32b979da-7b68-42c9-9a99-0e39900fc36c","atomic_attack_name":"attrib - hide file","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6","atomic_attack_name":"Grant Full Access to folder for Everyone - Ryuk Ransomware Style","platform":"Windows","sigma_rules":[{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1482","atomic_attack_guid":"2e22641d-0498-48d2-b9ff-c71e496ccdbe","atomic_attack_name":"Windows - Discover domain trusts with nltest","platform":"Windows","sigma_rules":[{"rule_name":"Potential Recon Activity Via Nltest.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"},{"rule_name":"Nltest.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1482","atomic_attack_guid":"15fe436d-e771-4ff3-b655-2dca9ba52834","atomic_attack_name":"Adfind - Enumerate Active Directory Trusts","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1485","atomic_attack_guid":"321fd25e-0007-417f-adec-33232252be19","atomic_attack_name":"Overwrite deleted data on C drive","platform":"Windows","sigma_rules":[{"rule_name":"Deleted Data Overwritten Via Cipher.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml"}],"splunk_rules":[]},{"tech_id":"T1486","atomic_attack_guid":"649349c7-9abf-493b-a7a2-b1aa4d141528","atomic_attack_name":"PureLocker Ransom Note","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1489","atomic_attack_guid":"21dfb440-830d-4c86-a3e5-2a491d5a8d04","atomic_attack_name":"Windows - Stop service using Service Controller","platform":"Windows","sigma_rules":[{"rule_name":"Stop Windows Service Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml"}],"splunk_rules":[]},{"tech_id":"T1489","atomic_attack_guid":"41274289-ec9c-4213-bea4-e43c4aa57954","atomic_attack_name":"Windows - Stop service using net.exe","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Stop Windows Service Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml"}],"splunk_rules":[]},{"tech_id":"T1489","atomic_attack_guid":"f3191b84-c38b-400b-867e-3a217a27795f","atomic_attack_name":"Windows - Stop service by killing process","platform":"Windows","sigma_rules":[{"rule_name":"Process Terminated Via Taskkill","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"43819286-91a9-4369-90ed-d31fb4da2c01","atomic_attack_name":"Windows - Delete Volume Shadow Copies","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"6a3ff8dd-f49c-4272-a658-11c2fe58bd88","atomic_attack_name":"Windows - Delete Volume Shadow Copies via WMI","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"cf21060a-80b3-4238-a595-22525de4ab81","atomic_attack_name":"Windows - Disable Windows Recovery Console Repair","platform":"Windows","sigma_rules":[{"rule_name":"Boot Configuration Tampering Via Bcdedit.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"39a295ca-7059-4a88-86f6-09556c1211e7","atomic_attack_name":"Windows - Delete Volume Shadow Copies via WMI with PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"},{"rule_name":"Deletion of Volume Shadow Copies via WMI with PowerShell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml"},{"rule_name":"Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml"}],"splunk_rules":[{"rule_name":"Delete ShadowCopy With PowerShell","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/delete_shadowcopy_with_powershell.yml"}]},{"tech_id":"T1490","atomic_attack_guid":"6b1dbaf6-cc8a-4ea6-891f-6058569653bf","atomic_attack_name":"Windows - Delete Backup Files","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"1c68c68d-83a4-4981-974e-8993055fa034","atomic_attack_name":"Windows - Disable the SR scheduled task","platform":"Windows","sigma_rules":[{"rule_name":"Disable Important Scheduled Task","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"da558b07-69ae-41b9-b9d4-4d98154a7049","atomic_attack_name":"Windows - vssadmin Resize Shadowstorage Volume","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"a4420f93-5386-4290-b780-f4f66abc7070","atomic_attack_name":"Modify VSS Service Permissions","platform":"Windows","sigma_rules":[{"rule_name":"Allow Service Access Using Security Descriptor Tampering Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml"},{"rule_name":"Service Security Descriptor Tampering Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml"},{"rule_name":"Deny Service Access Using Security Descriptor Tampering Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml"}],"splunk_rules":[]},{"tech_id":"T1505.002","atomic_attack_guid":"43e92449-ff60-46e9-83a3-1a38089df94d","atomic_attack_name":"Install MS Exchange Transport Agent Persistence","platform":"Windows","sigma_rules":[{"rule_name":"MSExchange Transport Agent Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml"}],"splunk_rules":[]},{"tech_id":"T1505.003","atomic_attack_guid":"0a2ce662-1efa-496f-a472-2fe7b080db16","atomic_attack_name":"Web Shell Written to Disk","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1518","atomic_attack_guid":"68981660-6670-47ee-a5fa-7e74806420a4","atomic_attack_name":"Find and Display Internet Explorer Browser Version","platform":"Windows","sigma_rules":[{"rule_name":"Detected Windows Software Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1518.001","atomic_attack_guid":"f92a380f-ced9-491f-b338-95a991418ce2","atomic_attack_name":"Security Software Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Recon Command Output Piped To Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"},{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1518.001","atomic_attack_guid":"fe613cf3-8009-4446-9a0f-bc78a15b66c9","atomic_attack_name":"Security Software Discovery - Sysmon Service","platform":"Windows","sigma_rules":[{"rule_name":"Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml"}],"splunk_rules":[]},{"tech_id":"T1518.001","atomic_attack_guid":"1553252f-14ea-4d3b-8a08-d7a4211aa945","atomic_attack_name":"Security Software Discovery - AV Discovery via WMI","platform":"Windows","sigma_rules":[{"rule_name":"Potential Product Class Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml"},{"rule_name":"Potential Product Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"ed366cde-7d12-49df-a833-671904770b9f","atomic_attack_name":"Modify Fax service to run PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Existing Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml"},{"rule_name":"Suspicious Service Path Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"981e2942-e433-44e9-afc1-8c957a1496b6","atomic_attack_name":"Service Installation CMD","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"491a4af6-a521-4b74-b23b-f7b3f1ee9e77","atomic_attack_name":"Service Installation PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using PowerShell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"ef0581fd-528e-4662-87bc-4c2affb86940","atomic_attack_name":"TinyTurla backdoor service w64time","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Existing Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546","atomic_attack_guid":"547a4736-dd1c-4b48-b4fe-e916190bb2e7","atomic_attack_name":"Persistence via ErrorHandler.cmd script execution","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546.001","atomic_attack_guid":"10a08978-2045-4d62-8c42-1957bbbea102","atomic_attack_name":"Change Default File Association","platform":"Windows","sigma_rules":[{"rule_name":"Change Default File Association Via Assoc","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1546.002","atomic_attack_guid":"281201e7-de41-4dc9-b73d-f288938cbb64","atomic_attack_name":"Set Arbitrary Binary as Screensaver","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546.007","atomic_attack_guid":"3244697d-5a3a-4dfc-941c-550f69f91a4d","atomic_attack_name":"Netsh Helper DLL Registration","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Via Netsh Helper DLL","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml"}],"splunk_rules":[]},{"tech_id":"T1546.008","atomic_attack_guid":"934e90cf-29ca-48b3-863c-411737ad44e3","atomic_attack_name":"Replace binary of sticky keys","platform":"Windows","sigma_rules":[{"rule_name":"Persistence Via Sticky Key Backdoor","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546.008","atomic_attack_guid":"51ef369c-5e87-4f33-88cd-6d61be63edf2","atomic_attack_name":"Create Symbolic Link From osk.exe to cmd.exe","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Privilege Escalation Using Symlink Between Osk and Cmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml"}],"splunk_rules":[]},{"tech_id":"T1546.011","atomic_attack_guid":"9ab27e22-ee62-4211-962b-d36d9a0e6a18","atomic_attack_name":"Application Shim Installation","platform":"Windows","sigma_rules":[{"rule_name":"Potential Shim Database Persistence via Sdbinst.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml"}],"splunk_rules":[]},{"tech_id":"T1546.011","atomic_attack_guid":"aefd6866-d753-431f-a7a4-215ca7e3f13d","atomic_attack_name":"New shim database files created in the default shim database directory","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1547","atomic_attack_guid":"cb01b3da-b0e7-4e24-bf6d-de5223526785","atomic_attack_name":"Add a driver","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Driver Install by pnputil.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"}],"splunk_rules":[]},{"tech_id":"T1547","atomic_attack_guid":"5cb0b071-8a5a-412f-839d-116beb2ed9f7","atomic_attack_name":"Driver Installation Using pnputil.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Driver Install by pnputil.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"}],"splunk_rules":[]},{"tech_id":"T1547.001","atomic_attack_guid":"e55be3fd-3521-4610-9d1a-e210e42dcf05","atomic_attack_name":"Reg Key Run","platform":"Windows","sigma_rules":[{"rule_name":"Direct Autorun Keys Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml"},{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1547.001","atomic_attack_guid":"554cbd88-cde1-4b56-8168-0be552eed9eb","atomic_attack_name":"Reg Key RunOnce","platform":"Windows","sigma_rules":[{"rule_name":"Direct Autorun Keys Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml"},{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1547.001","atomic_attack_guid":"6e1666d5-3f2b-4b9a-80aa-f011322380d4","atomic_attack_name":"Creating Boot Verification Program Key for application execution during successful boot","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Existing Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml"}],"splunk_rules":[]},{"tech_id":"T1547.009","atomic_attack_guid":"ce4fc678-364f-4282-af16-2fb4c78005ce","atomic_attack_name":"Shortcut Modification","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1548.002","atomic_attack_guid":"58f641ea-12e3-499a-b684-44dee46bd182","atomic_attack_name":"Bypass UAC using Fodhelper","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add Open Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml"}],"splunk_rules":[]},{"tech_id":"T1552.002","atomic_attack_guid":"b6ec082c-7384-46b3-a111-9a9b8b14e5e7","atomic_attack_name":"Enumeration for Credentials in Registry","platform":"Windows","sigma_rules":[{"rule_name":"Enumeration for Credentials in Registry","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml"}],"splunk_rules":[]},{"tech_id":"T1552.002","atomic_attack_guid":"af197fd7-e868-448e-9bd5-05d1bcd9d9e5","atomic_attack_name":"Enumeration for PuTTY Credentials in Registry","platform":"Windows","sigma_rules":[{"rule_name":"Enumeration for Credentials in Registry","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml"},{"rule_name":"Enumeration for 3rd Party Creds From CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"}],"splunk_rules":[]},{"tech_id":"T1552.004","atomic_attack_guid":"336b25bf-4514-4684-8924-474974f28137","atomic_attack_name":"CertUtil ExportPFX","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1552.004","atomic_attack_guid":"290df60e-4b5d-4a5e-b0c7-dc5348ea0c86","atomic_attack_name":"Export Certificates with Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"}],"splunk_rules":[]},{"tech_id":"T1552.006","atomic_attack_guid":"e9584f82-322c-474a-b831-940fd8b4455c","atomic_attack_name":"GPP Passwords (Get-GPPPassword)","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[]},{"tech_id":"T1553.003","atomic_attack_guid":"e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675","atomic_attack_name":"SIP (Subject Interface Package) Hijacking via Custom DLL","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Regsvr32 Execution From Highly Suspicious Location","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml"}],"splunk_rules":[]},{"tech_id":"T1553.004","atomic_attack_guid":"ca20a3f1-42b5-4e21-ad3f-1049199ec2e0","atomic_attack_name":"Add Root Certificate to CurrentUser Certificate Store","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"c89becbe-1758-4e7d-a0f4-97d2188a23e3","atomic_attack_name":"Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"8fd5a296-6772-4766-9991-ff4e92af7240","atomic_attack_name":"Dump credentials from Windows Credential Manager With PowerShell [web Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"36753ded-e5c4-4eb5-bc3c-e8fba236878d","atomic_attack_name":"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"Windows Credential Manager Access via VaultCmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"bc071188-459f-44d5-901a-f8f2625b2d2e","atomic_attack_name":"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"Windows Credential Manager Access via VaultCmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"8c05b133-d438-47ca-a630-19cc464c4622","atomic_attack_name":"Run Chrome-password Collector","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"9a2915b3-3954-4cce-8c76-00fbf4dbd014","atomic_attack_name":"LaZagne - Credentials from Browser","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - LaZagne Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"3d111226-d09a-4911-8715-fe11664f960d","atomic_attack_name":"Simulating access to Chrome Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"28498c17-57e4-495a-b0be-cc1e36de408b","atomic_attack_name":"Simulating access to Opera Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"eb8da98a-2e16-4551-b3dd-83de49baa14c","atomic_attack_name":"Simulating access to Windows Firefox Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"a6a5ec26-a2d1-4109-9d35-58b867689329","atomic_attack_name":"Simulating access to Windows Edge Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"70422253-8198-4019-b617-6be401b49fce","atomic_attack_name":"Dump Chrome Login Data with esentutl","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1555.004","atomic_attack_guid":"9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439","atomic_attack_name":"Access Saved Credentials via VaultCmd","platform":"Windows","sigma_rules":[{"rule_name":"Windows Credential Manager Access via VaultCmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml"}],"splunk_rules":[]},{"tech_id":"T1560.001","atomic_attack_guid":"8dd61a55-44c6-43cc-af0c-8bdda276860c","atomic_attack_name":"Compress Data and lock with password for Exfiltration with winrar","platform":"Windows","sigma_rules":[{"rule_name":"Rar Usage with Password and Compression Level","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml"}],"splunk_rules":[]},{"tech_id":"T1560.001","atomic_attack_guid":"01df0353-d531-408d-a0c5-3161bf822134","atomic_attack_name":"Compress Data and lock with password for Exfiltration with winzip","platform":"Windows","sigma_rules":[{"rule_name":"Compress Data and Lock With Password for Exfiltration With WINZIP","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1562","atomic_attack_guid":"40075d5f-3a70-4c66-9125-f72bee87247d","atomic_attack_name":"Windows Disable LSA Protection","platform":"Windows","sigma_rules":[{"rule_name":"LSA PPL Protection Disabled Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"811b3e76-c41b-430c-ac0d-e2380bfaa164","atomic_attack_name":"Unload Sysmon Filter Driver","platform":"Windows","sigma_rules":[{"rule_name":"Sysmon Driver Unloaded Via Fltmc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml"},{"rule_name":"Filter Driver Unloaded Via Fltmc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"695eed40-e949-40e5-b306-b4031e4154bd","atomic_attack_name":"AMSI Bypass - AMSI InitFailed","platform":"Windows","sigma_rules":[{"rule_name":"Potential AMSI Bypass Via .NET Reflection","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"a1230893-56ac-4c81-b644-2108e982f8f5","atomic_attack_name":"Disable Arbitrary Security Windows Service","platform":"Windows","sigma_rules":[{"rule_name":"Service StartupType Change Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"aa875ed4-8935-47e2-b2c5-6ec00ab220d2","atomic_attack_name":"Tamper with Windows Defender Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Service StartupType Change Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml"},{"rule_name":"Disable Windows Defender AV Security Monitoring","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml"},{"rule_name":"Suspicious Windows Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"3d47daaa-2f56-43e0-94cc-caf5d8d52a68","atomic_attack_name":"Remove Windows Defender Definition Files","platform":"Windows","sigma_rules":[{"rule_name":"Windows Defender Definition Files Removed","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297","atomic_attack_name":"Uninstall Crowdstrike Falcon on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Uninstall Crowdstrike Falcon Sensor","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"24a12b91-05a7-4deb-8d7f-035fa98591bc","atomic_attack_name":"Kill antimalware protected processes using Backstab","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"66fb0bc1-3c3f-47e9-a298-550ecfefacbc","atomic_attack_name":"Powershell Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1003.002","atomic_attack_guid":"5c2571d0-1572-416d-9676-812e64ca9f44","atomic_attack_name":"Registry dump of SAM, creds, and secrets","platform":"Windows","splunk_rules":[{"rule_name":"Attempted Credential Dump From Registry via Reg exe","rule_link":"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/"}],"sigma_rules":[{"rule_name":"Dumping of Sensitive Hives Via Reg.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"}]},{"tech_id":"T1003.002","atomic_attack_guid":"a90c2f4d-6726-444e-99d2-a00cd7c20480","atomic_attack_name":"esentutl.exe SAM copy","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"}],"splunk_rules":[{"rule_name":"Esentutl SAM Copy","rule_link":"https://research.splunk.com/endpoint/d372f928-ce4f-11eb-a762-acde48001122/"}]},{"tech_id":"T1003.002","atomic_attack_guid":"eeb9751a-d598-42d3-b11c-c122d9c3f6c7","atomic_attack_name":"dump volume shadow copy hives with certutil","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Sensitive File Access Via Volume Shadow Copy Backup","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"},{"rule_name":"File Encoded To Base64 Via Certutil.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml"},{"rule_name":"File In Suspicious Location Encoded To Base64 Via Certutil.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml"}],"splunk_rules":[{"rule_name":"Credential Dumping via Copy Command from Shadow Copy","rule_link":"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f","atomic_attack_name":"Create Volume Shadow Copy with vssadmin","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"}],"splunk_rules":[{"rule_name":"Creation of Shadow Copy","rule_link":"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"c6237146-9ea6-4711-85c9-c56d263a6b03","atomic_attack_name":"Copy NTDS.dit from Volume Shadow Copy","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"Sensitive File Access Via Volume Shadow Copy Backup","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"},{"rule_name":"Suspicious Process Patterns NTDS.DIT Exfil","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"},{"rule_name":"Copy From VolumeShadowCopy Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[{"rule_name":"Attempted Credential Dump From Registry via Reg exe","rule_link":"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/"},{"rule_name":"Credential Dumping via Copy Command from Shadow Copy","rule_link":"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"224f7de0-8f0a-4a94-b5d8-989b036c86da","atomic_attack_name":"Create Volume Shadow Copy with WMI","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"},{"rule_name":"System Disk And Volume Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[{"rule_name":"Creation of Shadow Copy","rule_link":"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"d893459f-71f0-484d-9808-ec83b2b64226","atomic_attack_name":"Create Volume Shadow Copy remotely with WMI","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"},{"rule_name":"System Disk And Volume Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"},{"rule_name":"Creation of Shadow Copy","rule_link":"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"21c7bf80-3e8b-40fa-8f9d-f5b194ff2865","atomic_attack_name":"Create Volume Shadow Copy remotely (WMI) with esentutl","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"Suspicious Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"},{"rule_name":"New Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml"},{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"},{"rule_name":"Credential Dumping via Copy Command from Shadow Copy","rule_link":"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/"},{"rule_name":"Windows WMI Process Call Create","rule_link":"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/"},{"rule_name":"Remote Process Instantiation via WMI","rule_link":"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"21748c28-2793-4284-9e07-d6d028b66702","atomic_attack_name":"Create Symlink to Volume Shadow Copy","platform":"Windows","sigma_rules":[{"rule_name":"VolumeShadowCopy Symlink Creation Via Mklink","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml"},{"rule_name":"Sensitive File Access Via Volume Shadow Copy Backup","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"},{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"}],"splunk_rules":[{"rule_name":"Credential Dumping via Symlink to Shadow Copy","rule_link":"https://research.splunk.com/endpoint/c5eac648-fae0-4263-91a6-773df1f4c903/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"b385996c-0e7d-4e27-95a4-aca046b119a7","atomic_attack_name":"Create Volume Shadow Copy with diskshadow","platform":"Windows","sigma_rules":[{"rule_name":"Diskshadow Script Mode Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"},{"rule_name":"Windows Diskshadow Proxy Execution","rule_link":"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/"}]},{"tech_id":"T1003.004","atomic_attack_guid":"55295ab0-a703-433b-9ca4-ae13807de12f","atomic_attack_name":"Dumping LSA Secrets","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Psexec Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[{"rule_name":"Attempted Credential Dump From Registry via Reg exe","rule_link":"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/"},{"rule_name":"Detect PsExec With accepteula Flag","rule_link":"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/"}]},{"tech_id":"T1003.004","atomic_attack_guid":"2dfa3bff-9a27-46db-ab75-7faefdaca732","atomic_attack_name":"Dump Kerberos Tickets from LSA using dumper.ps1","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1003.006","atomic_attack_guid":"129efd28-8497-4c87-a1b0-73b9a870ca3e","atomic_attack_name":"DCSync (Active Directory)","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Operator Bloopers Cobalt Strike Commands","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[{"rule_name":"Windows Mimikatz Binary Execution","rule_link":"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/"}]},{"tech_id":"T1016","atomic_attack_guid":"9bb45dd7-c466-4f93-83a1-be30e56033ee","atomic_attack_name":"Adfind - Enumerate Active Directory Subnet Objects","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"}],"splunk_rules":[{"rule_name":"Windows AdFind Exe","rule_link":"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/"}]},{"tech_id":"T1016","atomic_attack_guid":"34557863-344a-468f-808b-a1bfb89b4fa9","atomic_attack_name":"DNS Server Discovery Using nslookup","platform":"Windows","sigma_rules":[{"rule_name":"Net
gitextract_wll2bghe/ ├── .github/ │ └── workflows/ │ └── deploy.yml ├── .gitignore ├── AUTOMATION.md ├── LICENSE ├── README.md ├── attack_rule_map.json ├── automation/ │ ├── __init__.py │ ├── atomic_handler.py │ ├── config.py │ ├── dependency_handler.py │ ├── dynamic_generator.py │ ├── escu_handler.py │ ├── execution_handler.py │ ├── main.py │ ├── repo_manager.py │ ├── report_handler.py │ ├── sigma_handler.py │ ├── splunk_handler.py │ ├── utils.py │ └── vm_handler.py ├── dist/ │ ├── _headers │ ├── assets/ │ │ └── images/ │ │ └── favicon/ │ │ └── site.webmanifest │ ├── attack_rule_map.json │ ├── index.html │ ├── metadata.json │ ├── mitre_layer_combined.json │ ├── mitre_layer_sigma.json │ └── mitre_layer_splunk.json └── requirements.txt
SYMBOL INDEX (84 symbols across 13 files)
FILE: automation/atomic_handler.py
function get_all_technique_ids (line 12) | def get_all_technique_ids(atomics_path: str | None = None) -> list[str]:
class AtomicParser (line 31) | class AtomicParser:
method __init__ (line 37) | def __init__(self, atomics_path: str | None = None):
method get_tests_for_technique (line 41) | def get_tests_for_technique(
function find_atomic_for_technique (line 69) | def find_atomic_for_technique(technique_id, atomics_path):
function prepare_command (line 105) | def prepare_command(atomic_test):
FILE: automation/config.py
function _as_bool (line 26) | def _as_bool(val: str | None, default: bool = False) -> bool:
FILE: automation/dependency_handler.py
function check_and_update_dependencies (line 16) | def check_and_update_dependencies(base_path):
function _download_file (line 62) | def _download_file(url: str, dest_path: Path) -> bool:
function stage_atomic_dependencies_locally (line 73) | def stage_atomic_dependencies_locally(atomic_test: dict, technique_dir: ...
FILE: automation/dynamic_generator.py
function _apply_cim_mapping (line 55) | def _apply_cim_mapping(spl: str) -> str:
function _normalize_sigma_spl_for_splunk (line 65) | def _normalize_sigma_spl_for_splunk(query: str) -> str:
function _cim_search_only (line 96) | def _cim_search_only(query: str) -> str:
class RuleMapper (line 101) | class RuleMapper:
method __init__ (line 102) | def __init__(self):
method _sanitize_escu_spl (line 107) | def _sanitize_escu_spl(search: str) -> str:
method _sigma_file_to_spl (line 120) | def _sigma_file_to_spl(filepath: str) -> str | None:
method collect_for_technique (line 136) | def collect_for_technique(self, technique_id: str) -> tuple[list, list]:
class AttackEngine (line 201) | class AttackEngine:
method run_attack (line 203) | def run_attack(technique_id: str, test_number: int = 1) -> tuple[bool,...
class VerificationEngine (line 224) | class VerificationEngine:
method __init__ (line 225) | def __init__(self, service):
method run (line 228) | def run(
class ReportGenerator (line 279) | class ReportGenerator:
method build_entry (line 281) | def build_entry(
class DynamicDetectionLab (line 300) | class DynamicDetectionLab:
method __init__ (line 301) | def __init__(self, technique_ids: list[str] | None = None):
method service (line 309) | def service(self):
method run (line 314) | def run(self) -> list:
function run_dynamic_generator (line 430) | def run_dynamic_generator(technique_ids: list[str] | None = None) -> list:
FILE: automation/escu_handler.py
function _normalize_status (line 7) | def _normalize_status(raw: str | None) -> str:
function load_and_parse_rules (line 24) | def load_and_parse_rules(path: str):
FILE: automation/execution_handler.py
class PowerShellExecutor (line 11) | class PowerShellExecutor:
method __init__ (line 12) | def __init__(self):
method connect (line 20) | def connect(self):
method disconnect (line 40) | def disconnect(self):
method execute (line 48) | def execute(self, command):
function run_invoke_atomic_test (line 86) | def run_invoke_atomic_test(technique_id="T1059.001", test_number=1):
function run_simple_encoded_command (line 113) | def run_simple_encoded_command():
function run_first_attack_simulation (line 131) | def run_first_attack_simulation():
function run_first_attack_workflow (line 138) | def run_first_attack_workflow():
function _create_ssh_client (line 164) | def _create_ssh_client():
function _upload_file_sftp (line 179) | def _upload_file_sftp(client, local_path, remote_path):
function _build_arg_value_map (line 191) | def _build_arg_value_map(atomic_test: dict, safe_dir: str) -> dict:
function _apply_rewrites_to_command (line 216) | def _apply_rewrites_to_command(cmd_text: str, arg_map: dict, safe_dir: s...
function _normalize_command_for_executor (line 230) | def _normalize_command_for_executor(command_text: str, executor_name: st...
function _exec_on_vm (line 243) | def _exec_on_vm(client, command_text: str, executor_name: str):
function run_test_on_vm (line 291) | def run_test_on_vm(atomic_test, test_technique_path):
FILE: automation/main.py
function banner (line 22) | def banner():
function setup_logging (line 30) | def setup_logging(verbose: bool = False):
function main (line 47) | def main():
FILE: automation/repo_manager.py
class RepoManager (line 15) | class RepoManager:
method __init__ (line 16) | def __init__(self, base_path: str | None = None):
method _run_git (line 19) | def _run_git(self, cmd: list[str], cwd: str | None = None) -> tuple[bo...
method _clone (line 35) | def _clone(self, name: str, url: str) -> bool:
method _pull (line 45) | def _pull(self, name: str) -> bool:
method ensure_repos (line 55) | def ensure_repos(self) -> bool:
FILE: automation/report_handler.py
class ReportHandler (line 10) | class ReportHandler:
method generate_cors_headers (line 13) | def generate_cors_headers(self) -> None:
method generate_mitre_layers (line 27) | def generate_mitre_layers(self) -> list[str]:
method _log_rule_details (line 151) | def _log_rule_details(self, entry: dict, rule_list: list, rule_type: s...
method _build_ultra_lite (line 167) | def _build_ultra_lite(self, merged: list) -> list:
method _merge_rule_lists (line 199) | def _merge_rule_lists(self, existing_rules: list, new_rules: list) -> ...
method save_report_json (line 213) | def save_report_json(self, new_results: list) -> str:
method print_coverage_stats (line 316) | def print_coverage_stats(self, data: list) -> None:
function generate_json_output (line 338) | def generate_json_output(new_results, output_path):
function generate_csv_summary (line 406) | def generate_csv_summary(results, output_path):
FILE: automation/sigma_handler.py
function parse_sigma_rule (line 9) | def parse_sigma_rule(file_path, rules_base_path):
function load_and_parse_rules (line 45) | def load_and_parse_rules(path):
FILE: automation/splunk_handler.py
function connect_to_splunk (line 11) | def connect_to_splunk():
function convert_sigma_to_spl (line 45) | def convert_sigma_to_spl(sigma_filepath: str) -> str | None:
function _iso_to_epoch_seconds (line 74) | def _iso_to_epoch_seconds(iso_str: str) -> int:
function _with_index_prefix (line 91) | def _with_index_prefix(query: str) -> str:
function check_for_detection (line 117) | def check_for_detection(service, search_query: str, earliest_time: str, ...
function sanity_check_ingestion (line 157) | def sanity_check_ingestion(service, host: str, earliest_time: str, lates...
FILE: automation/utils.py
function load_yaml_file (line 4) | def load_yaml_file(filepath):
FILE: automation/vm_handler.py
function _get_proxmox_ssh_client (line 12) | def _get_proxmox_ssh_client():
function _run_proxmox_command (line 61) | def _run_proxmox_command(args, check=True):
function get_vm_state (line 100) | def get_vm_state():
function ensure_vm_is_off (line 112) | def ensure_vm_is_off(timeout_seconds=60):
function revert_to_snapshot (line 141) | def revert_to_snapshot():
function start_vm (line 164) | def start_vm():
function stop_vm (line 178) | def stop_vm():
function is_vm_ready (line 184) | def is_vm_ready(timeout_seconds=300):
Condensed preview — 29 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,329K chars).
[
{
"path": ".github/workflows/deploy.yml",
"chars": 546,
"preview": "name: Deploy to Netlify\non:\n push:\n branches:\n - main # Only deploy when pushing to the main branch\n paths:"
},
{
"path": ".gitignore",
"chars": 277,
"preview": "generator\n.vscode\n# Python virtual environment\nvenv/\n.venv\n# Local environment variables\n.env\n# Dependencies managed by "
},
{
"path": "AUTOMATION.md",
"chars": 7587,
"preview": "# Automation & Dashboard — Technical Manual\n\nThis document describes the **Automation** and **Dashboard** capabilities a"
},
{
"path": "LICENSE",
"chars": 11344,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "README.md",
"chars": 4047,
"preview": "# AttackRuleMap\n\n[](https://attackrulemap.com)\n!"
},
{
"path": "attack_rule_map.json",
"chars": 458162,
"preview": "[{\"tech_id\":\"T1046\",\"atomic_attack_guid\":\"68e907da-2539-48f6-9fc9-257a78c05540\",\"atomic_attack_name\":\"Port Scan\",\"platfo"
},
{
"path": "automation/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "automation/atomic_handler.py",
"chars": 4789,
"preview": "# automation/atomic_handler.py\n\nimport os\nimport re\nimport yaml\nimport logging\n\n# ATT&CK technique ID pattern: T followe"
},
{
"path": "automation/config.py",
"chars": 5182,
"preview": "import os\nimport logging\nfrom dotenv import load_dotenv\n\n# Find the project root directory\n# This file (config.py) -> pa"
},
{
"path": "automation/dependency_handler.py",
"chars": 5564,
"preview": "import os\nimport re\nimport shutil\nimport subprocess\nfrom pathlib import Path\nfrom urllib.parse import urlparse\nimport ur"
},
{
"path": "automation/dynamic_generator.py",
"chars": 17618,
"preview": "import os\nimport re\nimport sys\nimport json\nimport time\nimport logging\nimport glob\n\nfrom automation import config\nfrom au"
},
{
"path": "automation/escu_handler.py",
"chars": 2552,
"preview": "import os\nimport glob\nimport logging\nfrom automation import utils\n\n\ndef _normalize_status(raw: str | None) -> str:\n \""
},
{
"path": "automation/execution_handler.py",
"chars": 17525,
"preview": "import os\nimport logging\nimport re\nimport time\nimport paramiko\nfrom automation import config\nfrom automation import depe"
},
{
"path": "automation/main.py",
"chars": 4917,
"preview": "import os\nimport sys\nimport argparse\nimport logging\nfrom datetime import datetime\n\n_project_root = os.path.dirname(os.pa"
},
{
"path": "automation/repo_manager.py",
"chars": 2422,
"preview": "import os\nimport sys\nimport subprocess\nimport logging\n\nfrom automation import config\n\nREPOS = [\n (\"sigma\", \"https://g"
},
{
"path": "automation/report_handler.py",
"chars": 19061,
"preview": "import json\nimport os\nimport logging\nimport csv\nfrom datetime import datetime\n\nfrom automation import config\n\n\nclass Rep"
},
{
"path": "automation/sigma_handler.py",
"chars": 1968,
"preview": "import os\nimport glob\nimport re\nimport logging\nfrom automation import utils\n\nSIGMA_BASE_URL = \"https://github.com/SigmaH"
},
{
"path": "automation/splunk_handler.py",
"chars": 7612,
"preview": "import os\nimport time\nimport logging\nfrom datetime import datetime, timezone\nimport splunklib.client as client\nfrom auto"
},
{
"path": "automation/utils.py",
"chars": 418,
"preview": "import yaml\nimport logging\n\ndef load_yaml_file(filepath):\n \"\"\"\n Safely loads a YAML file and returns its content.\n"
},
{
"path": "automation/vm_handler.py",
"chars": 6878,
"preview": "\"\"\"\nVM lifecycle management via Proxmox over SSH.\nUses paramiko to connect to Proxmox host and run qm commands.\n\"\"\"\nimpo"
},
{
"path": "dist/_headers",
"chars": 144,
"preview": "/*\n Access-Control-Allow-Origin: https://mitre-attack.github.io\n Access-Control-Allow-Methods: GET, OPTIONS\n Access-C"
},
{
"path": "dist/assets/images/favicon/site.webmanifest",
"chars": 481,
"preview": "{\n \"name\": \"AttackRuleMap\",\n \"short_name\": \"ARM\",\n \"icons\": [\n {\n \"src\": \"/assets/images/favicon/web-app-mani"
},
{
"path": "dist/attack_rule_map.json",
"chars": 458162,
"preview": "[{\"tech_id\":\"T1046\",\"atomic_attack_guid\":\"68e907da-2539-48f6-9fc9-257a78c05540\",\"atomic_attack_name\":\"Port Scan\",\"platfo"
},
{
"path": "dist/index.html",
"chars": 18994,
"preview": "<!DOCTYPE html>\n<html lang=\"en\" data-bs-theme=\"dark\">\n <head>\n <meta charset=\"UTF-8\" />\n <title>ARM - AttackRuleM"
},
{
"path": "dist/metadata.json",
"chars": 43,
"preview": "{\n \"last_updated\": \"2026-02-12 12:30:12\"\n}"
},
{
"path": "dist/mitre_layer_combined.json",
"chars": 63299,
"preview": "{\n \"name\": \"ARM - Sigma + Splunk Detection Coverage\",\n \"versions\": {\n \"attack\": \"18\",\n \"navigator\": "
},
{
"path": "dist/mitre_layer_sigma.json",
"chars": 63248,
"preview": "{\n \"name\": \"ARM - Sigma Detection Coverage\",\n \"versions\": {\n \"attack\": \"18\",\n \"navigator\": \"5.3.0\",\n"
},
{
"path": "dist/mitre_layer_splunk.json",
"chars": 62960,
"preview": "{\n \"name\": \"ARM - Splunk Detection Coverage\",\n \"versions\": {\n \"attack\": \"18\",\n \"navigator\": \"5.3.0\","
},
{
"path": "requirements.txt",
"chars": 211,
"preview": "# AttackRuleMap - Direct dependencies for automation/\n# Install: pip install -r requirements.txt\n\nparamiko>=4.0.0\nPyYAML"
}
]
About this extraction
This page contains the full source code of the krdmnbrk/AttackRuleMap GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 29 files (1.2 MB), approximately 316.5k tokens, and a symbol index with 84 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.