[ { "path": ".github/workflows/deploy.yml", "content": "name: Deploy to Netlify\non:\n push:\n branches:\n - main # Only deploy when pushing to the main branch\n paths:\n - 'dist/**' \njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Deploy to Netlify\n uses: nwtgck/actions-netlify@v3.0.0\n with:\n publish-dir: './dist'\n production-deploy: true\n env:\n NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}\n NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}" }, { "path": ".gitignore", "content": "generator\n.vscode\n# Python virtual environment\nvenv/\n.venv\n# Local environment variables\n.env\n# Dependencies managed by the automation script\ndependencies/\n# Repos cloned by RepoManager (Sigma, ESCU, Atomic Red Team)\ndata/repos/\n# Compiled files\n__pycache__/\n*.pyc\n# Logs\n*.log" }, { "path": "AUTOMATION.md", "content": "# Automation & Dashboard — Technical Manual\n\nThis document describes the **Automation** and **Dashboard** capabilities added to AttackRuleMap. It is intended for Security Engineers and Detection Engineers who want to run Atomic Red Team tests, validate detections against Splunk and Sigma rules, and consume the resulting mapping via an HTML dashboard and MITRE ATT&CK® Navigator layers.\n\n---\n\n## 1. Overview\n\nThe automation module:\n\n- **Executes** [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) tests (optionally on a Windows VM or Proxmox-managed lab).\n- **Queries** Splunk for detection events using SPL derived from **Sigma** and **Splunk Security Content (ESCU)** rules.\n- **Maps** each atomic test to which rules detected it, with time-bounded search to avoid cross-contamination between sequential tests.\n- **Generates** a consolidated report (`attack_rule_map.json`) and an **HTML Dashboard** (`dist/index.html`) plus **MITRE ATT&CK® Navigator** layers for heatmap-style coverage visualization.\n\nThe focus is **validation**: confirming that your detection rules (Sigma/ESCU → Splunk) actually fire when the corresponding adversary techniques are executed, rather than relying on static mapping alone.\n\n---\n\n## 2. Architecture\n\n| Phase | Component | Description |\n|-------|-----------|-------------|\n| **Execution** | Atomic Red Team | Runs atomic tests (e.g. PowerShell, registry, file operations) on a target—local or remote VM. Test IDs and atomics are discovered from the Atomic Red Team repo. |\n| **Detection** | Splunk + Sigma / ESCU | Sigma rules are converted to SPL (pySigma); ESCU provides native SPL. The pipeline runs time-bounded Splunk searches to determine which rules detected each test. |\n| **Mapping** | Deep Merge Logic | New results are merged into the existing report by `atomic_attack_guid`. Existing entries are not overwritten; their `sigma_rules` and `splunk_rules` lists are extended with new detections (no duplicate rule names). |\n| **Visualization** | HTML Dashboard & MITRE Heatmap | `dist/index.html` loads `attack_rule_map.json` via AJAX and displays technique ↔ rule ↔ atomic test mappings. Navigator layers (`mitre_layer_sigma.json`, `mitre_layer_splunk.json`, `mitre_layer_combined.json`) show detection coverage per technique. |\n\nData flow: **Atomic execution** → **Splunk search (time window)** → **Detection result per rule** → **Report merge** → **JSON + MITRE layers** → **Dashboard**.\n\n---\n\n## 3. Setup & Installation\n\n### 3.1 Python Dependencies\n\nFrom the project root:\n\n```bash\npip install -r requirements.txt\n```\n\nThis installs (among others): `paramiko`, `PyYAML`, `python-dotenv`, `pySigma`, `pySigma-backend-splunk`, `splunk-sdk`.\n\n### 3.2 Environment Configuration\n\n1. Copy the example environment file:\n ```bash\n cp .env.example .env\n ```\n2. Edit `.env` with your values. At minimum, configure:\n - **Splunk**: `SPLUNK_HOST`, `SPLUNK_PORT`, `SPLUNK_USERNAME`, `SPLUNK_PASSWORD` (or `SPLUNK_TOKEN`), and optionally `SPLUNK_SEARCH_INDEX`.\n - **Execution** (if using a VM): `VM_HOST`, `VM_USERNAME`, `VM_PASSWORD`, `VM_SAFE_DIR`; or Proxmox-related variables if using snapshot-based VMs.\n\nSee `.env.example` for all variables and inline comments. Do not commit `.env` to version control.\n\n### 3.3 Repositories (Sigma, ESCU, Atomic Red Team)\n\nOn first run with `--all` or when technique discovery is needed, the pipeline will clone (if missing) into `data/repos/` by default:\n\n- Sigma (SigmaHQ/sigma)\n- Splunk Security Content (splunk/security_content)\n- Atomic Red Team (redcanaryco/atomic-red-team)\n\nPaths can be overridden via `REPOS_BASE_PATH`, `SIGMA_REPO_PATH`, `ESCU_REPO_PATH`, `ATOMIC_RED_TEAM_REPO`, etc. in `.env`.\n\n---\n\n## 4. Usage\n\n### 4.1 Main Automation\n\nFrom the project root:\n\n```bash\n# Run all techniques defined in ATTACK_TIDS (config / .env)\npython -m automation.main --all\n\n# Run specific technique(s)\npython -m automation.main --tid T1059.001 --tid T1087.001\n\n# Verbose (DEBUG) logging\npython -m automation.main -v --tid T1059.001\n```\n\nThe pipeline will: run atomics, wait for indexing, query Splunk for each test’s time window, merge results into `dist/attack_rule_map.json`, and regenerate the MITRE Navigator layers.\n\n### 4.2 Regenerating MITRE Layers Only\n\nTo regenerate only the MITRE ATT&CK Navigator layer files from an existing `attack_rule_map.json` (no test execution):\n\n```bash\npython -m automation.main --mitre-only\n```\n\nUse this after editing the report manually or when you only need updated heatmaps.\n\n### 4.3 Report Merge (No Separate Script)\n\nThe pipeline does **not** ship a separate “recovery merge” script. Report updates are **incremental** and **deep-merged** on every run:\n\n- If `dist/attack_rule_map.json` exists, new results are merged by `atomic_attack_guid`.\n- For matching GUIDs, existing `sigma_rules` and `splunk_rules` are preserved and extended (by rule name, no duplicates).\n- New tests are appended. Output is “ultra-lite” (detected rules with `rule_name` and `rule_link` only).\n\nSo each run both adds new data and preserves prior validations.\n\n---\n\n## 5. Dashboard Features\n\n### 5.1 HTML Report (`dist/index.html`)\n\n- **Location**: Open `dist/index.html` in a browser (or serve `dist/` with any static file server).\n- **Data**: The page loads `attack_rule_map.json` via AJAX and optionally `metadata.json` for “Last updated” information.\n- **Content**: Table and filters for MITRE technique, atomic test name, Sigma rules, and Splunk/ESCU rules that detected each test. Supports export and search typical of a DataTables-based UI.\n\n### 5.2 MITRE ATT&CK® Navigator Integration\n\nThree layer files are written under `dist/`:\n\n| File | Description |\n|------|-------------|\n| `mitre_layer_sigma.json` | Coverage based on Sigma rule detections only. |\n| `mitre_layer_splunk.json` | Coverage based on Splunk/ESCU rule detections only. |\n| `mitre_layer_combined.json` | Coverage where either Sigma or Splunk detected the technique. |\n\nImport these into [MITRE ATT&CK® Navigator](https://mitre-attack.github.io/attack-navigator/) to view heatmaps (e.g. by detection rate per technique). Scores and comments in the layer reflect test counts and detected counts.\n\n### 5.3 Deep Merge Logic\n\n- **Preserves history**: Existing report entries are never overwritten by a new run; rule lists are merged by `atomic_attack_guid` and by rule name.\n- **Validation-centric**: The dashboard and layers reflect which rules have **actually** detected which tests in your environment, not just static rule–technique mappings.\n\n---\n\n## 6. Directory Structure\n\n| Path | Purpose |\n|------|---------|\n| `automation/` | Python package: config, atomic discovery, Sigma/ESCU handling, Splunk queries, VM/execution, report merge, MITRE layer generation. |\n| `dist/` | Output directory: `attack_rule_map.json`, `index.html`, `metadata.json`, MITRE layer JSONs, and static assets (CSS, JS, images) for the dashboard. |\n| `data/repos/` | Default location for cloned Sigma, ESCU, and Atomic Red Team repositories (created on first run if using default `REPOS_BASE_PATH`). |\n\nThe project root also contains `requirements.txt`, `.env.example`, and the main `README.md`; the latter is unchanged and describes the original AttackRuleMap project.\n\n---\n\n## Summary\n\nThis automation provides an end-to-end **detection validation** workflow: run Atomic Red Team tests, verify which Sigma and Splunk rules fire in your environment, and consume the results via a JSON report, HTML dashboard, and MITRE ATT&CK Navigator layers. Configuration is driven by `.env`; see `.env.example` for all options.\n" }, { "path": "LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2024 Burak Karaduman\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "README.md", "content": "# AttackRuleMap\n\n[![Website](https://img.shields.io/badge/Website-attackrulemap.com-blue)](https://attackrulemap.com)\n![GitHub License](https://img.shields.io/github/license/krdmnbrk/AttackRuleMap?style=flat)\n![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/krdmnbrk/AttackRuleMap/deploy.yml?style=flat)\n![Website](https://img.shields.io/website?url=https%3A%2F%2Fattackrulemap.com?style=flat)\n\n\"atomic\n\nThis repository provides a mapping of Atomic Red Team attack simulations to open-source detection rules, such as Sigma and Splunk ESCU.\n\n### [Go to AttackRuleMap](https://attackrulemap.com)\n\n## 🎯 Project Purpose\nThe goal of this project is to bridge the gap between Atomic Red Team's adversary simulations and open-source detection rules. By doing so, this project aims to help security professionals simulate attacks and evaluate their detection strategies more effectively. 🔒\n\nAşağıda sadece **Project Origin** kısmını, Medium’daki katkıyı özetleyerek güncelledim. Diğer bölümler aynı kalacak şekilde kullanabilirsin.\n\n## 🧬 Project Origin (Proof-of-Concept to Scalable Validation)\n\nAttackRuleMap started as a hands-on lab simulation effort. In the initial phase, I:\n\n- Executed Atomic Red Team tests \n- Ran Sigma and Splunk ESCU detections \n- Recorded which rules fired for which techniques \n\n### Environment Setup (Initial Phase)\n- Operating System: Windows Server 2019 (virtualized) \n- Testing Tool: Atomic Red Team (PowerShell + manual adjustments where needed) \n- Log Ingestion/Analysis: Splunk Enterprise \n- Performance: Datamodel acceleration enabled to support multi-threaded searching \n- Detection Rules: Sigma + Splunk ESCU \n\nThis approach produced the first mapping dataset and validated that detections could be tested against real adversary simulations.\n\n> However, this process was partially manual and not scalable across the full MITRE ATT&CK matrix.\n\n---\n\n### 🚀 Scaling the Approach with Automation\n\nTo overcome these limitations, the project evolved with a community contribution, introducing an automated validation pipeline.\n\nThis extension transformed AttackRuleMap from a static mapping into a **continuous validation system** that:\n\n- Automatically executes Atomic Red Team tests \n- Queries detection rules within a controlled time window \n- Correlates results to avoid false positives \n- Generates updated mapping data and ATT&CK coverage layers \n- Feeds a dynamic dashboard for visualization \n\nWith this approach, AttackRuleMap moves from **manual validation** to **evidence-based, repeatable detection testing at scale**.\n\n> This evolution enables security teams to continuously validate detection coverage instead of relying on assumed effectiveness.\n\n[Check post for automation details](https://emre-guler.medium.com/attackrulemap-scaling-the-bridge-between-detections-and-tests-via-automation-507f9c5c2b5a) by [@emregulerr](https://github.com/emregulerr)\n\n\n## 🔄 Sigma Rule Conversion\nTo convert Sigma rules into Splunk Search Processing Language (SPL), I used the [sigconverter.io](https://sigconverter.io) locally on Docker. This tool simplifies the process of adapting Sigma rules for use in Splunk by automating the translation process. Users can specify the desired target platform, such as Splunk, Elastic, Kusto or any platform that supported by sigconverter, and the tool generates platform-specific queries based on Sigma's rule definitions.\n\n## 🤝 Contribution\nThis project is open to contributions from the community. Here are some ways you can contribute:\n\n- **Platform Testing:** Test and validate the detection rules on non-Windows platforms, such as Linux or macOS.\n- **Feedback and Suggestions:** Share your ideas for improving the project or addressing potential gaps.\n\nIf you'd like to contribute, feel free to submit a pull request or open an issue. 💡\n\n## Contributors\n\n- [@Niicolaa](https://github.com/Niicolaa)\n- [@emregulerr](https://github.com/emregulerr)\n" }, { "path": "attack_rule_map.json", "content": "[{\"tech_id\":\"T1046\",\"atomic_attack_guid\":\"68e907da-2539-48f6-9fc9-257a78c05540\",\"atomic_attack_name\":\"Port Scan\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Network Service Scanning\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"9d04efee-eff5-4240-b8d2-07792b873608\",\"atomic_attack_name\":\"Packet Capture macOS using tcpdump or tshark\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Network Sniffing - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1037.005\",\"atomic_attack_guid\":\"10cf5bec-49dd-4ebf-8077-8f47e420096f\",\"atomic_attack_name\":\"Add launch script to launch agent\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Scripting Interpreter AppleScript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml\"},{\"rule_name\":\"Launch Agent/Daemon Execution Via Launchctl\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1037.005\",\"atomic_attack_guid\":\"fc369906-90c7-4a15-86fd-d37da624dde6\",\"atomic_attack_name\":\"Add launch script to launch daemon\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Scripting Interpreter AppleScript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml\"},{\"rule_name\":\"Launch Agent/Daemon Execution Via Launchctl\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1033\",\"atomic_attack_guid\":\"2a9b677d-a230-44f4-ad86-782df1ef108c\",\"atomic_attack_name\":\"System Owner/User Discovery\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Connections Discovery - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1030\",\"atomic_attack_guid\":\"ab936c51-10f4-46ce-9144-e02137b2016a\",\"atomic_attack_name\":\"Data Transfer Size Limits\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Split A File Into Pieces\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.001\",\"atomic_attack_guid\":\"e22a9e89-69c7-410f-a473-e6c212cd2292\",\"atomic_attack_name\":\"Pad Binary to Change Hash using truncate command - Linux/macOS\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Binary Padding - MacOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.001\",\"atomic_attack_guid\":\"ffe2346c-abd5-4b45-a713-bf5f1ebd573a\",\"atomic_attack_name\":\"Pad Binary to Change Hash - Linux/macOS dd\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Binary Padding - MacOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"f45df6be-2e1e-4136-a384-8f18ab3826fb\",\"atomic_attack_name\":\"Decode base64 Data into Script\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Decode Base64 Encoded Text -MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.005\",\"atomic_attack_guid\":\"8a930abe-841c-4d4f-a877-72e9fe90b9ea\",\"atomic_attack_name\":\"Enable Apple Remote Desktop Agent\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Information Discovery Using sw_vers\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml\"},{\"rule_name\":\"Local System Accounts Discovery - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_local_account.yml\"},{\"rule_name\":\"Launch Agent/Daemon Execution Via Launchctl\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml\"},{\"rule_name\":\"Creation Of A Local User Account\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_create_account.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"96db2632-8417-4dbb-b8bb-a8b92ba391de\",\"atomic_attack_name\":\"Remote System Discovery - sweep\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Macos Remote System Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"acb6b1ff-e2ad-4d64-806c-6c35fe73b951\",\"atomic_attack_name\":\"Remote System Discovery - arp nix\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - macOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml\"},{\"rule_name\":\"Macos Remote System Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"ff1d8c25-2aa4-4f18-a425-fede4a41ee88\",\"atomic_attack_name\":\"List macOS Firewall Rules\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - macOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"c141bbdb-7fca-4254-9fd6-f47e79447e17\",\"atomic_attack_name\":\"System Network Configuration Discovery\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - macOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml\"},{\"rule_name\":\"Macos Remote System Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml\"},{\"rule_name\":\"System Network Connections Discovery - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1005\",\"atomic_attack_guid\":\"cfb6d400-a269-4c06-a347-6d88d584d5f7\",\"atomic_attack_name\":\"Copy Apple Notes database files using AppleScript\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Scripting Interpreter AppleScript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003\",\"atomic_attack_guid\":\"42510244-5019-48fa-a0e5-66c3b76e6049\",\"atomic_attack_name\":\"Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Microsoft IIS Service Account Password Dumped\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003\",\"atomic_attack_guid\":\"84113186-ed3c-4d0d-8a3c-8980c86c1f4a\",\"atomic_attack_name\":\"Dump Credential Manager using keymgr.dll and rundll32.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Key Manager Access\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003\",\"atomic_attack_guid\":\"0b207037-813c-4444-ac3f-b597cf280a67\",\"atomic_attack_name\":\"Send NTLM Hash with RPC Test Connection\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Capture Credentials with Rpcping.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml\"},{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"0be2230c-9ab3-4ac2-8826-3199b9a0ebf8\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using ProcDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed ProcDump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Potential LSASS Process Dump Via Procdump\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"},{\"rule_name\":\"Procdump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"2536dee2-12fb-459a-8c37-971844fa73be\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using comsvcs.dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Memory Dump Via Comsvcs.DLL\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml\"},{\"rule_name\":\"PowerShell Get-Process LSASS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"},{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"dddd4aca-bbed-46f0-984d-e4c5971c51ea\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using NanoDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"453acf13-1dbd-47d7-b28a-172ce9228023\",\"atomic_attack_name\":\"Offline Credential Theft With Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Operator Bloopers Cobalt Strike Commands\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"7cede33f-0acd-44ef-9774-15511300b24b\",\"atomic_attack_name\":\"Create Mini Dump of LSASS.exe using ProcDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"},{\"rule_name\":\"Procdump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"},{\"rule_name\":\"Potential LSASS Process Dump Via Procdump\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"86fc3f40-237f-4701-b155-81c01c48d697\",\"atomic_attack_name\":\"Dump LSASS.exe using imported Microsoft DLLs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - XORDump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml\"},{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"eb5adf16-b601-4926-bca7-dad22adffb37\",\"atomic_attack_name\":\"Dump LSASS.exe Memory through Silent Process Exit\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"2364e33d-ceab-4641-8468-bfb1d7cc2723\",\"atomic_attack_name\":\"Dump Active Directory Database with NTDSUtil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Patterns NTDS.DIT Exfil\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"542bb97e-da53-436b-8e43-e0a7d31a6c24\",\"atomic_attack_name\":\"Create Volume Shadow Copy with Powershell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"},{\"rule_name\":\"Create Volume Shadow Copy with Powershell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.005\",\"atomic_attack_guid\":\"56506854-89d6-46a3-9804-b7fde90791f9\",\"atomic_attack_name\":\"Cached Credential Dump via Cmdkey\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.006\",\"atomic_attack_guid\":\"a0bced08-3fc5-4d8b-93b7-e8344739376e\",\"atomic_attack_name\":\"Run DSInternals Get-ADReplAccount\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DSInternals Suspicious PowerShell Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml\"},{\"rule_name\":\"Suspicious Get-ADReplAccount\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1007\",\"atomic_attack_guid\":\"89676ba1-b1f8-47ee-b940-2e1a113ebc71\",\"atomic_attack_name\":\"System Service Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1007\",\"atomic_attack_guid\":\"5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3\",\"atomic_attack_name\":\"System Service Discovery - net.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"970ab6a1-0157-4f3f-9a73-ec4166754b23\",\"atomic_attack_name\":\"System Network Configuration Discovery on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Network Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"dafaf052-5508-402d-bf77-51e0700c02e2\",\"atomic_attack_name\":\"System Network Configuration Discovery (TrickBot Style)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Network Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml\"},{\"rule_name\":\"Potential Recon Activity Via Nltest.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml\"},{\"rule_name\":\"Nltest.EXE Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016.002\",\"atomic_attack_guid\":\"53cf1903-0fa7-4177-ab14-f358ae809eec\",\"atomic_attack_name\":\"Enumerate Stored Wi-Fi Profiles And Passwords via netsh\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Harvesting Of Wifi Credentials Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"6db1f57f-d1d5-4223-8a66-55c9c65a9592\",\"atomic_attack_name\":\"Remote System Discovery - ping sweep\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Scan Loop Network\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"64ede6ac-b57a-41c2-a7d1-32c6cd35397d\",\"atomic_attack_name\":\"Enumerate Active Directory Computers with ADSISearcher\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote System Discovery with Adsisearcher\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_system_discovery_with_adsisearcher.yml\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"b8147c9a-84db-4ec1-8eee-4e0da75f0de5\",\"atomic_attack_name\":\"Enumerate Remote Hosts with Netscan\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"atomic_attack_guid\":\"74ace21e-a31c-4f7d-b540-53e4eb6d1f73\",\"atomic_attack_name\":\"Changing RDP Port to Non Standard Port via Command_Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Firewall Rule Added Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml\"},{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"},{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"atomic_attack_guid\":\"01d1c6c0-faf0-408e-b368-752a02285cb2\",\"atomic_attack_name\":\"Disable NLA for RDP via Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"},{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"e2d85e66-cb66-4ed7-93b1-833fc56c9319\",\"atomic_attack_name\":\"DLP Evasion via Sensitive Data in VBA Macro over HTTP\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"fad04df1-5229-4185-b016-fb6010cd87ac\",\"atomic_attack_name\":\"Execution from Compressed JScript File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1033\",\"atomic_attack_guid\":\"4c4959bf-addf-4b4a-be86-8d09cc1857aa\",\"atomic_attack_name\":\"System Owner/User Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Recon Command Output Piped To Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml\"},{\"rule_name\":\"Whoami.EXE Execution With Output Option\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml\"},{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"5ba5a3d1-cf3c-4499-968a-a93155d1f717\",\"atomic_attack_name\":\"Masquerading as Windows LSASS process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Binary Rename\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"3a2a578b-0a01-46e4-92e3-62e2859b42f0\",\"atomic_attack_name\":\"Masquerading - cscript.exe running as notepad.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Rename Of Highly Relevant Binaries\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa\",\"atomic_attack_name\":\"Masquerading - powershell.exe running as taskhostw.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Rename Of Highly Relevant Binaries\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"83810c46-f45e-4485-9ab6-8ed0e9e6ed7f\",\"atomic_attack_name\":\"Malicious process Masquerading as LSM.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Binary Rename\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"b721c6ef-472c-4263-a0d9-37f1f4ecff66\",\"atomic_attack_name\":\"Creating W32Time similar named service using sc\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.007\",\"atomic_attack_guid\":\"c7fa0c3b-b57f-4cba-9118-863bf4e653fc\",\"atomic_attack_name\":\"File Extension Masquerading\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Suspicious Double Extension Files\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1037.001\",\"atomic_attack_guid\":\"d6042746-07d4-4c92-9ad8-e644c114a231\",\"atomic_attack_name\":\"Logon Scripts\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Via Logon Scripts - CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Potential Persistence Via Logon Scripts - Registry\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1039\",\"atomic_attack_guid\":\"6ed67921-1774-44ba-bac6-adb51ed60660\",\"atomic_attack_name\":\"Copy a sensitive File over Administrative share with copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1039\",\"atomic_attack_guid\":\"7762e120-5879-44ff-97f8-008b401b9a98\",\"atomic_attack_name\":\"Copy a sensitive File over Administrative share with Powershell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"b5656f67-d67f-4de8-8e62-b5581630f528\",\"atomic_attack_name\":\"Windows Internal Packet Capture\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Network Trace Capture Started Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"855fb8b4-b8ab-4785-ae77-09f5df7bff55\",\"atomic_attack_name\":\"Windows Internal pktmon set filter\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PktMon.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"5750aa16-0e59-4410-8b9a-8a47ca2788e2\",\"atomic_attack_name\":\"WMI Reconnaissance Processes\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"718aebaa-d0e0-471a-8241-c5afa69c7414\",\"atomic_attack_name\":\"WMI Reconnaissance Software\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Hotfix Updates Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1053.002\",\"atomic_attack_guid\":\"4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8\",\"atomic_attack_name\":\"At.exe Scheduled task\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Interactive AT Job\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"42f53695-ad4a-4546-abb6-7d837f644a71\",\"atomic_attack_name\":\"Scheduled task Local\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Schtasks Schedule Types\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"e895677d-4f06-49ab-91b6-ae3742d0a2ba\",\"atomic_attack_name\":\"Scheduled Task Executing Base64 Encoded Commands From Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scheduled Task Executing Encoded Payload from Registry\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Command Patterns In Scheduled Task Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1055\",\"atomic_attack_guid\":\"3203ad24-168e-4bec-be36-f79b13ef8a83\",\"atomic_attack_name\":\"Remote Process Injection in LSASS via mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1055\",\"atomic_attack_guid\":\"2871ed59-3837-4a52-9107-99500ebc87cb\",\"atomic_attack_name\":\"Process Injection with Go using CreateThread WinAPI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential WinAPI Calls Via CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1055\",\"atomic_attack_guid\":\"2a3c7035-d14f-467a-af94-933e49fe6786\",\"atomic_attack_name\":\"Process Injection with Go using CreateThread WinAPI (Natively)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential WinAPI Calls Via CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1056.001\",\"atomic_attack_guid\":\"d9b633ca-8efb-45e6-b838-70f595c6ae26\",\"atomic_attack_name\":\"Input Capture\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"Powershell Keylogging\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1056.004\",\"atomic_attack_guid\":\"de1934ea-1fbf-425b-8795-65fb27dd7e33\",\"atomic_attack_name\":\"Hook PowerShell TLS Encrypt/Decrypt Messages\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Mavinject Inject DLL Into Running Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1057\",\"atomic_attack_guid\":\"c5806a4f-62b8-4900-980b-c7ec004e9908\",\"atomic_attack_name\":\"Process Discovery - tasklist\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1057\",\"atomic_attack_guid\":\"640cbf6d-659b-498b-ba53-f6dd1a1cc02c\",\"atomic_attack_name\":\"Process Discovery - wmic process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1057\",\"atomic_attack_guid\":\"11ba69ee-902e-4a0f-b3b6-418aed7d7ddb\",\"atomic_attack_name\":\"Discover Specific Process - tasklist\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LSASS Process Reconnaissance Via Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml\"},{\"rule_name\":\"Recon Command Output Piped To Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml\"},{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"af1800cf-9f9d-4fd1-a709-14b1e6de020d\",\"atomic_attack_name\":\"Mimikatz - Cradlecraft PsSendKeys\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Keywords\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml\"},{\"rule_name\":\"Malicious PowerShell Scripts - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Potential PowerShell Command Line Obfuscation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Windows PowerShell Script Block With Malicious String\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml\"},{\"rule_name\":\"Detect Mimikatz With PowerShell Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"a538de64-1c74-46ed-aa60-b995ed302598\",\"atomic_attack_name\":\"PowerShell Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"49eb9404-5e0f-4031-a179-b40f7be385e3\",\"atomic_attack_name\":\"PowerShell Invoke Known Malicious Cmdlets\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Keywords\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.003\",\"atomic_attack_guid\":\"127b4afe-2346-4192-815c-69042bec570e\",\"atomic_attack_name\":\"Writes text to a file and displays it.\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.003\",\"atomic_attack_guid\":\"df81db1b-066c-4802-9bc8-b6d030c3ba8e\",\"atomic_attack_name\":\"Command Prompt read contents from CMD file and execute\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.003\",\"atomic_attack_guid\":\"00682c9f-7df4-4df8-950b-6dcaaa3ad9af\",\"atomic_attack_name\":\"Command prompt writing script to file then executes it\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Whoami.EXE Execution With Output Option\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.005\",\"atomic_attack_guid\":\"1620de42-160a-4fe5-bbaf-d3fef0181ce9\",\"atomic_attack_name\":\"Visual Basic script execution to gather local computer information\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Registry Tampering by Potentially Suspicious Processes\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.007\",\"atomic_attack_guid\":\"01d75adf-ca1b-4dd1-ac96-7c9550ad1035\",\"atomic_attack_name\":\"JScript execution to gather local computer information via cscript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.007\",\"atomic_attack_guid\":\"0709945e-4fec-4c49-9faf-c3c292a74484\",\"atomic_attack_name\":\"JScript execution to gather local computer information via wscript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"9f4e344b-8434-41b3-85b1-d38f29d148d0\",\"atomic_attack_name\":\"Enumerate Active Directory Groups with ADSISearcher\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070\",\"atomic_attack_guid\":\"b4115c7a-0e92-47f0-a61e-17e7218b2435\",\"atomic_attack_name\":\"Indicator Removal using FSUtil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Suspicious Invocation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.001\",\"atomic_attack_guid\":\"e6abb60e-26b8-41da-8aae-0c35174b0967\",\"atomic_attack_name\":\"Clear Logs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Eventlog Clearing or Configuration Change Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"861ea0b4-708a-4d17-848d-186c9c7f17e3\",\"atomic_attack_name\":\"Delete a single file - Windows cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"36f96049-0ad7-4a5f-8418-460acaeb92fb\",\"atomic_attack_name\":\"Delete Prefetch File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"},{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"atomic_attack_guid\":\"14c38f32-6509-46d8-ab43-d53e32d2b131\",\"atomic_attack_name\":\"Add Network Share\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"atomic_attack_guid\":\"09210ad5-1ef2-4077-9ad3-7351e13e9222\",\"atomic_attack_name\":\"Remove Network Share\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"},{\"rule_name\":\"Unmount Share Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1071.001\",\"atomic_attack_guid\":\"dc3488b0-08c7-4fea-b585-905c83b48180\",\"atomic_attack_name\":\"Malicious User Agents - CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1074.001\",\"atomic_attack_guid\":\"107706a5-6f9f-451a-adae-bab8c667829f\",\"atomic_attack_name\":\"Stage data from Discovery.bat\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1074.001\",\"atomic_attack_guid\":\"a57fbe4b-3440-452a-88a7-943531ac872a\",\"atomic_attack_name\":\"Zip a Folder with PowerShell for Staging in Temp\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml\"},{\"rule_name\":\"Zip A Folder With PowerShell For Staging In Temp - PowerShell Script\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1078.001\",\"atomic_attack_guid\":\"99747561-ed8d-47f2-9c91-1e5fde1ed6e0\",\"atomic_attack_name\":\"Enable Guest account with RDP capability and admin privileges\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"User Added to Local Administrators Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml\"},{\"rule_name\":\"User Added to Remote Desktop Users Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml\"},{\"rule_name\":\"Weak or Abused Passwords In CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1078.003\",\"atomic_attack_guid\":\"a524ce99-86de-4db6-b4f9-e08f35a47a15\",\"atomic_attack_name\":\"Create local account with admin privileges\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"User Added to Local Administrators Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"66703791-c902-4560-8770-42b8a91f7667\",\"atomic_attack_name\":\"System Information Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Configuration And Service Reconnaissance Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml\"},{\"rule_name\":\"Suspicious Execution of Systeminfo\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"224b4daf-db44-404e-b6b2-f4d1f0126ef8\",\"atomic_attack_name\":\"Windows MachineGUID Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Query of MachineGUID\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"69bd4abe-8759-49a6-8d21-0f15822d6370\",\"atomic_attack_name\":\"Griffon Recon\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"4060ee98-01ae-4c8e-8aad-af8300519cc7\",\"atomic_attack_name\":\"System Information Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml\"},{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potential Reconnaissance Activity Via GatherNetworkInfo.VBS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml\"},{\"rule_name\":\"Suspicious Execution of Systeminfo\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"atomic_attack_guid\":\"0e36303b-6762-4500-b003-127743b80ba6\",\"atomic_attack_name\":\"File and Directory Discovery (cmd.exe)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"95018438-454a-468c-a0fa-59c800149b59\",\"atomic_attack_name\":\"Automated AD Recon (ADRecon)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"736b4f53-f400-4c22-855d-1a6b5a551600\",\"atomic_attack_name\":\"Adfind -Listing password policy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"b95fd967-4e62-4109-b48d-265edfd28c3a\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Admins\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"5e2938fb-f919-47b6-8b29-2f6a1f718e99\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Exchange AD Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"02e8be5a-3065-4e54-8cc8-a14d138834d3\",\"atomic_attack_name\":\"Enumerate Active Directory Users with ADSISearcher\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"7ab0205a-34e4-4a44-9b04-e1541d1a57be\",\"atomic_attack_name\":\"Enumerate Linked Policies In ADSISearcher Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1090.001\",\"atomic_attack_guid\":\"b8223ea9-4be2-44a6-b50a-9657a3d4e72a\",\"atomic_attack_name\":\"portproxy reg key\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Port Forwarding Rule Added Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"2ca61766-b456-4fcf-a35a-1233685e1cad\",\"atomic_attack_name\":\"OSTAP Worming Activity\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"fa5a2759-41d7-4e13-a19c-e8f28a53566f\",\"atomic_attack_name\":\"svchost writing a file to a UNC path\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"815bef8b-bf91-4b67-be4c-abe4c2a94ccc\",\"atomic_attack_name\":\"Download a File with Windows Defender MpCmdRun.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"File Download Via Windows Defender MpCmpRun.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"5f507e45-8411-4f99-84e7-e38530c45d01\",\"atomic_attack_name\":\"File download with finger.exe on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Finger.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"1a02df58-09af-4064-a765-0babe1a0d1e2\",\"atomic_attack_name\":\"Download a file with IMEWDBLD.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Arbitrary File Download Via IMEWDBLD.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"49845fc1-7961-4590-a0f0-3dbcf065ae7e\",\"atomic_attack_name\":\"Printer Migration Command-Line Tool UNC share folder into a zip file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"PrintBrm ZIP Creation of Extraction\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"54782d65-12f0-47a5-b4c1-b70ee23de6df\",\"atomic_attack_name\":\"Lolbas replace.exe use to copy file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Replace.exe Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"ed0335ac-0354-400c-8148-f6151d20035a\",\"atomic_attack_name\":\"Lolbas replace.exe use to copy UNC file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Replace.exe Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"6fdaae87-c05b-42f8-842e-991a74e8376b\",\"atomic_attack_name\":\"certreq download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Certreq Command to Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"Suspicious CertReq Command to Download\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certreq_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"97116a3f-efac-4b26-8336-b9cb18c45188\",\"atomic_attack_name\":\"Download a file using wscript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"c01cad7f-7a4c-49df-985e-b190dcf6a279\",\"atomic_attack_name\":\"iwr or Invoke Web-Request download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1110.001\",\"atomic_attack_guid\":\"59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4\",\"atomic_attack_name\":\"Password Brute User using Kerbrute Tool\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"282f929a-6bc5-42b8-bd93-960c3ba35afe\",\"atomic_attack_name\":\"Modify Registry of Local Machine - cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Direct Autorun Keys Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml\"},{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c0413fb5-33e2-40b7-9b6f-60b29f4a7a18\",\"atomic_attack_name\":\"Modify registry to store logon credentials\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"95b25212-91a7-42ff-9613-124aca6845a8\",\"atomic_attack_name\":\"Windows Powershell Logging Disabled\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5\",\"atomic_attack_name\":\"Windows Add Registry Value to Load Service in Safe Mode without Network\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Add SafeBoot Keys Via Reg Utility\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c173c948-65e5-499c-afbe-433722ed5bd4\",\"atomic_attack_name\":\"Windows Add Registry Value to Load Service in Safe Mode with Network\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Add SafeBoot Keys Via Reg Utility\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c30dada3-7777-4590-b970-dc890b8cf113\",\"atomic_attack_name\":\"Suppress Win Defender Notifications\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"65704cd4-6e36-4b90-b6c1-dc29a82c8e56\",\"atomic_attack_name\":\"NetWire RAT Registry Key Creation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c375558d-7c25-45e9-bd64-7b23a97c1db0\",\"atomic_attack_name\":\"Ursnif Malware Registry Key Creation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"d2c9e41e-cd86-473d-980d-b6403562e3e1\",\"atomic_attack_name\":\"Disable Windows Error Reporting Settings\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"35727d9e-7a7f-4d0c-a259-dc3906d6e8b9\",\"atomic_attack_name\":\"Mimic Ransomware - Allow Multiple RDP Sessions per User\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"e3ad8e83-3089-49ff-817f-e52f8c948090\",\"atomic_attack_name\":\"Enabling Remote Desktop Protocol via Remote Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"3b625eaa-c10d-4635-af96-3eae7d2a2f3c\",\"atomic_attack_name\":\"Tamper Win Defender Protection\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c88ef166-50fa-40d5-a80c-e2b87d4180f7\",\"atomic_attack_name\":\"Modify Internet Zone Protocol Defaults in Current User Registry - cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"ffeddced-bb9f-49c6-97f0-3d07a509bf94\",\"atomic_attack_name\":\"Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"16bdbe52-371c-4ccf-b708-79fba61f1db4\",\"atomic_attack_name\":\"Enable RDP via Registry (fDenyTSConnections)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"5f8e36de-37ca-455e-b054-a2584f043c06\",\"atomic_attack_name\":\"Disable Windows Remote Desktop Protocol\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"26fc7375-a551-4336-90d7-3f2817564304\",\"atomic_attack_name\":\"Requires the BitLocker PIN for Pre-boot authentication\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"bacb3e73-8161-43a9-8204-a69fe0e4b482\",\"atomic_attack_name\":\"Modify EnableBDEWithNoTPM Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"10b33fb0-c58b-44cd-8599-b6da5ad6384c\",\"atomic_attack_name\":\"Modify UseTPMPIN Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c8480c83-a932-446e-a919-06a1fd1e512a\",\"atomic_attack_name\":\"Modify UseTPMKey Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"02d8b9f7-1a51-4011-8901-2d55cca667f9\",\"atomic_attack_name\":\"Modify UseTPMKeyPIN Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1113\",\"atomic_attack_guid\":\"5a496325-0115-4274-8eb9-755b649ad0fb\",\"atomic_attack_name\":\"Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Windows Recall Feature Enabled Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1115\",\"atomic_attack_guid\":\"0cd14633-58d4-4422-9ede-daa2c9474ae7\",\"atomic_attack_name\":\"Utilize Clipboard to store or execute commands from\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"PowerShell Get Clipboard\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml\"},{\"rule_name\":\"Data Copied To Clipboard Via Clip.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"atomic_attack_guid\":\"cb379146-53f1-43e0-b884-7ce2c635ff5b\",\"atomic_attack_name\":\"Automated Collection Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Automated Collection Command Prompt\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"atomic_attack_guid\":\"aa1180e2-f329-4e1e-8625-2472ec0bfaf3\",\"atomic_attack_name\":\"Recon information for export with Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1120\",\"atomic_attack_guid\":\"424e18fd-48b8-4201-8d3a-bf591523a686\",\"atomic_attack_name\":\"Peripheral Device Discovery via fsutil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Drive Enumeration\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1123\",\"atomic_attack_guid\":\"9c3ad250-b185-4444-b5a9-d69218a10c95\",\"atomic_attack_name\":\"using device audio capture commandlet\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Audio Capture via PowerShell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1124\",\"atomic_attack_guid\":\"20aba24b-e61f-4b26-b4ce-4784f763ca20\",\"atomic_attack_name\":\"System Time Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"},{\"rule_name\":\"Discovery of a System Time\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1127\",\"atomic_attack_guid\":\"1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8\",\"atomic_attack_name\":\"Lolbin Jsc.exe compile javascript to exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"JScript Compiler Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1127\",\"atomic_attack_guid\":\"3fc9fea2-871d-414d-8ef6-02e85e322b80\",\"atomic_attack_name\":\"Lolbin Jsc.exe compile javascript to dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"JScript Compiler Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1134.004\",\"atomic_attack_guid\":\"cbbff285-9051-444a-9d17-c07cd2d230eb\",\"atomic_attack_name\":\"Parent PID Spoofing - Spawn from Specified Process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Weak or Abused Passwords In CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"atomic_attack_guid\":\"20f1097d-81c1-405c-8380-32174d493bbb\",\"atomic_attack_name\":\"Network Share Discovery command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"atomic_attack_guid\":\"ab39a04f-0c93-4540-9ff2-83f862c385ae\",\"atomic_attack_name\":\"View available share drives\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"atomic_attack_guid\":\"d07e4cc1-98ae-447e-9d31-36cb430d28c4\",\"atomic_attack_name\":\"PowerView ShareFinder\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Import New Module Via PowerShell CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1137\",\"atomic_attack_guid\":\"bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c\",\"atomic_attack_name\":\"Office Application Startup - Outlook as a C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1140\",\"atomic_attack_guid\":\"dc6fe391-69e6-4506-bd06-ea5eeb4082f8\",\"atomic_attack_name\":\"Deobfuscate/Decode Files Or Information\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1140\",\"atomic_attack_guid\":\"71abc534-3c05-4d0c-80f7-cbe93cb2aa94\",\"atomic_attack_name\":\"Certutil Rename and Decode\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1187\",\"atomic_attack_guid\":\"485ce873-2e65-4706-9c7e-ae3ab9e14213\",\"atomic_attack_name\":\"PetitPotam\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential SMB Relay Attack Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1187\",\"atomic_attack_guid\":\"81cfdd7f-1f41-4cc5-9845-bb5149438e37\",\"atomic_attack_name\":\"Trigger an authenticated RPC call to a target server with no Sign flag set\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Capture Credentials with Rpcping.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml\"},{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"4588d243-f24e-4549-b2e3-e627acc089f6\",\"atomic_attack_name\":\"Examine local password policy - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"510cc97f-56ac-4cd3-a198-d3218c23d889\",\"atomic_attack_name\":\"Use of SecEdit.exe to export the local security policy (including the password policy)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Suspicious Activity Using SeCEdit\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1202\",\"atomic_attack_guid\":\"cecfea7a-5f03-4cdd-8bc8-6f7c22862440\",\"atomic_attack_name\":\"Indirect Command Execution - pcalua.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use of Pcalua For Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1202\",\"atomic_attack_guid\":\"8b34a448-40d9-4fc3-a8c8-4bb286faf7dc\",\"atomic_attack_name\":\"Indirect Command Execution - forfiles.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Forfiles Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1202\",\"atomic_attack_guid\":\"0fd14730-6226-4f5e-8d67-43c65f1be940\",\"atomic_attack_name\":\"Indirect Command Execution - Scriptrunner.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Use of Scriptrunner.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1204.002\",\"atomic_attack_guid\":\"3f3af983-118a-4fa1-85d3-ba4daa739d80\",\"atomic_attack_name\":\"OSTap Payload Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1204.002\",\"atomic_attack_guid\":\"02f35d62-9fdc-4a97-b899-a5d9a876d295\",\"atomic_attack_name\":\"Potentially Unwanted Applications (PUA)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1204.002\",\"atomic_attack_guid\":\"581d7521-9c4b-420e-9695-2aec5241167f\",\"atomic_attack_name\":\"LNK Payload Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1216\",\"atomic_attack_guid\":\"2a8f2d3c-3dec-4262-99dd-150cb2a4d63a\",\"atomic_attack_name\":\"manage-bde.wsf Signed Script Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1216.001\",\"atomic_attack_guid\":\"9dd29a1f-1e16-4862-be83-913b10a88f6c\",\"atomic_attack_name\":\"PubPrn.vbs Signed Script Bypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Pubprn.vbs Proxy Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml\"},{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1217\",\"atomic_attack_guid\":\"76f71e2f-480e-4bed-b61e-398fe17499d5\",\"atomic_attack_name\":\"List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Where Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1217\",\"atomic_attack_guid\":\"4312cdbc-79fc-4a9c-becc-53d49c734bc5\",\"atomic_attack_name\":\"List Mozilla Firefox bookmarks on Windows with command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Where Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1217\",\"atomic_attack_guid\":\"727dbcdb-e495-4ab1-a6c4-80c7f77aef85\",\"atomic_attack_name\":\"List Internet Explorer Bookmarks using the command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"ad2c17ed-f626-4061-b21e-b9804a6f3655\",\"atomic_attack_name\":\"Register-CimProvider - Execute evil dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DLL Execution Via Register-cimprovider.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"54ad7d5a-a1b5-472c-b6c4-f8090fb2daef\",\"atomic_attack_name\":\"InfDefaultInstall.exe .inf Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"InfDefaultInstall.exe .inf Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"7cbb0f26-a4c1-4f77-b180-a009aa05637e\",\"atomic_attack_name\":\"Microsoft.Workflow.Compiler.exe Payload Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Microsoft Workflow Compiler Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"9ebe7901-7edf-45c0-b5c7-8366300919db\",\"atomic_attack_name\":\"Invoke-ATHRemoteFXvGPUDisablementCommand base test\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"49fbd548-49e9-4bb7-94a6-3769613912b8\",\"atomic_attack_name\":\"Load Arbitrary DLL via Wuauclt (Windows Update Client)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Proxy Execution Via Wuauclt.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"5bcda9cd-8e85-48fa-861d-b5a85d91d48c\",\"atomic_attack_name\":\"Lolbin Gpscript logon option\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Gpscript Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"f8da74bb-21b8-4af9-8d84-f2c8e4a220e3\",\"atomic_attack_name\":\"Lolbin Gpscript startup option\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Gpscript Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"13c0804e-615e-43ad-b223-2dfbacd0b0b3\",\"atomic_attack_name\":\"Lolbas ie4uinit.exe use as proxy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"},{\"rule_name\":\"Ie4uinit Lolbin Use From Invalid Path\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"ab76e34f-28bf-441f-a39c-8db4835b89cc\",\"atomic_attack_name\":\"Provlaunch.exe Executes Arbitrary Command via Registry Key\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Provisioning Registry Key Abuse For Binary Proxy Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"7816c252-b728-4ea6-a683-bd9441ca0b71\",\"atomic_attack_name\":\"System Binary Proxy Execution - Wlrmdr Lolbin\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Wlrmdr.EXE Uncommon Argument Or Child Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.003\",\"atomic_attack_guid\":\"34e63321-9683-496b-bbc1-7566bc55e624\",\"atomic_attack_name\":\"CMSTP Executing Remote Scriptlet\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Bypass UAC via CMSTP\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.003\",\"atomic_attack_guid\":\"748cb4f6-2fb3-4e97-b7ad-b22635a09ab0\",\"atomic_attack_name\":\"CMSTP Executing UAC Bypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Bypass UAC via CMSTP\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml\"},{\"rule_name\":\"CMSTP Execution Registry Event\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.005\",\"atomic_attack_guid\":\"1483fab9-4f52-4217-a9ce-daa9d7747cae\",\"atomic_attack_name\":\"Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Remotely Hosted HTA File Executed Via Mshta.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml\"},{\"rule_name\":\"Suspicious JavaScript Execution Via Mshta.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.005\",\"atomic_attack_guid\":\"906865c3-e05f-4acc-85c4-fbc185455095\",\"atomic_attack_name\":\"Mshta executes VBScript to execute malicious command\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"MSHTA Suspicious Execution 01\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"},{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"MSHTA Execution with Suspicious File Extensions\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.005\",\"atomic_attack_guid\":\"8707a805-2b76-4f32-b1c0-14e558205772\",\"atomic_attack_name\":\"Mshta used to Execute PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"},{\"rule_name\":\"MSHTA Suspicious Execution 01\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"},{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"MSHTA Execution with Suspicious File Extensions\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with embedded JScript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"8d73c7b0-c2b1-4ac1-881a-4aa644f76064\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with embedded VBScript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"628fa796-76c5-44c3-93aa-b9d8214fd568\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with an embedded DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"ed3fa08a-ca18-4009-973e-03d13014d0e8\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with an embedded EXE\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"9d71c492-ea2e-4c08-af16-c6994cdf029f\",\"atomic_attack_name\":\"Regsvr32 Silent DLL Install Call DllRegisterServer\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Regsvr32 Execution From Highly Suspicious Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"57ba4ce9-ee7a-4f27-9928-3c70c489b59d\",\"atomic_attack_name\":\"Rundll32 execute JavaScript Remote Payload With GetObject\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Mshtml.DLL RunHTMLApplication Suspicious Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Rundll32 DNSQuery\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/network/rundll32_dnsquery.yml\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"638730e7-7aed-43dc-bf8c-8117f805f5bb\",\"atomic_attack_name\":\"Rundll32 execute VBscript command\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"Mshtml.DLL RunHTMLApplication Suspicious Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"22cfde89-befe-4e15-9753-47306b37a6e3\",\"atomic_attack_name\":\"Execution of HTA and VBS Files using Rundll32 and URL.dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"9f5d081a-ee5a-42f9-a04e-b7bdc487e676\",\"atomic_attack_name\":\"Launches an executable using Rundll32 and pcwutl.dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"},{\"rule_name\":\"Code Execution via Pcwutl.dll\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"83a95136-a496-423c-81d3-1c6750133917\",\"atomic_attack_name\":\"Rundll32 with desk.cpl\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Rundll32 InstallScreenSaver Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"},{\"rule_name\":\"SCR File Write Event\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"2d5029f0-ae20-446f-8811-e7511b58e8b6\",\"atomic_attack_name\":\"Running DLL with .init extension and function\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8\",\"atomic_attack_name\":\"Rundll32 execute command via FileProtocolHandler\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"8a7f56ee-10e7-444c-a139-0109438288eb\",\"atomic_attack_name\":\"Rundll32 execute payload by calling RouteTheCall\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1220\",\"atomic_attack_guid\":\"1b237334-3e21-4a0c-8178-b8c996124988\",\"atomic_attack_name\":\"WMIC bypass using local XSL file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"XSL Script Execution Via WMIC.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml\"},{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1220\",\"atomic_attack_guid\":\"7f5be499-33be-4129-a560-66021f379b9b\",\"atomic_attack_name\":\"WMIC bypass using remote XSL file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"XSL Script Execution Via WMIC.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml\"},{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"},{\"rule_name\":\"Potential Remote SquiblyTwo Technique Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222\",\"atomic_attack_guid\":\"6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02\",\"atomic_attack_name\":\"Enable Local and Remote Symbolic Links via fsutil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Behavior Set SymlinkEvaluation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"98d34bb4-6e75-42ad-9c41-1dae7dc6a001\",\"atomic_attack_name\":\"Take ownership using takeown utility\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Recursive Takeown\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml\"},{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"a8206bcc-f282-40a9-a389-05d9c0263485\",\"atomic_attack_name\":\"cacls - Grant permission to specified user or group recursively\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"bec1e95c-83aa-492e-ab77-60c71bbd21b0\",\"atomic_attack_name\":\"attrib - Remove read-only attribute\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"32b979da-7b68-42c9-9a99-0e39900fc36c\",\"atomic_attack_name\":\"attrib - hide file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6\",\"atomic_attack_name\":\"Grant Full Access to folder for Everyone - Ryuk Ransomware Style\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"2e22641d-0498-48d2-b9ff-c71e496ccdbe\",\"atomic_attack_name\":\"Windows - Discover domain trusts with nltest\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Recon Activity Via Nltest.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml\"},{\"rule_name\":\"Nltest.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"15fe436d-e771-4ff3-b655-2dca9ba52834\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Trusts\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1485\",\"atomic_attack_guid\":\"321fd25e-0007-417f-adec-33232252be19\",\"atomic_attack_name\":\"Overwrite deleted data on C drive\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Deleted Data Overwritten Via Cipher.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1486\",\"atomic_attack_guid\":\"649349c7-9abf-493b-a7a2-b1aa4d141528\",\"atomic_attack_name\":\"PureLocker Ransom Note\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1489\",\"atomic_attack_guid\":\"21dfb440-830d-4c86-a3e5-2a491d5a8d04\",\"atomic_attack_name\":\"Windows - Stop service using Service Controller\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Stop Windows Service Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1489\",\"atomic_attack_guid\":\"41274289-ec9c-4213-bea4-e43c4aa57954\",\"atomic_attack_name\":\"Windows - Stop service using net.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Stop Windows Service Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1489\",\"atomic_attack_guid\":\"f3191b84-c38b-400b-867e-3a217a27795f\",\"atomic_attack_name\":\"Windows - Stop service by killing process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Terminated Via Taskkill\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"43819286-91a9-4369-90ed-d31fb4da2c01\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"6a3ff8dd-f49c-4272-a658-11c2fe58bd88\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies via WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"cf21060a-80b3-4238-a595-22525de4ab81\",\"atomic_attack_name\":\"Windows - Disable Windows Recovery Console Repair\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Boot Configuration Tampering Via Bcdedit.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"39a295ca-7059-4a88-86f6-09556c1211e7\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies via WMI with PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"},{\"rule_name\":\"Deletion of Volume Shadow Copies via WMI with PowerShell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml\"},{\"rule_name\":\"Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Delete ShadowCopy With PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/delete_shadowcopy_with_powershell.yml\"}]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"6b1dbaf6-cc8a-4ea6-891f-6058569653bf\",\"atomic_attack_name\":\"Windows - Delete Backup Files\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"1c68c68d-83a4-4981-974e-8993055fa034\",\"atomic_attack_name\":\"Windows - Disable the SR scheduled task\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Disable Important Scheduled Task\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"da558b07-69ae-41b9-b9d4-4d98154a7049\",\"atomic_attack_name\":\"Windows - vssadmin Resize Shadowstorage Volume\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"a4420f93-5386-4290-b780-f4f66abc7070\",\"atomic_attack_name\":\"Modify VSS Service Permissions\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Allow Service Access Using Security Descriptor Tampering Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml\"},{\"rule_name\":\"Service Security Descriptor Tampering Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml\"},{\"rule_name\":\"Deny Service Access Using Security Descriptor Tampering Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1505.002\",\"atomic_attack_guid\":\"43e92449-ff60-46e9-83a3-1a38089df94d\",\"atomic_attack_name\":\"Install MS Exchange Transport Agent Persistence\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"MSExchange Transport Agent Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1505.003\",\"atomic_attack_guid\":\"0a2ce662-1efa-496f-a472-2fe7b080db16\",\"atomic_attack_name\":\"Web Shell Written to Disk\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518\",\"atomic_attack_guid\":\"68981660-6670-47ee-a5fa-7e74806420a4\",\"atomic_attack_name\":\"Find and Display Internet Explorer Browser Version\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Detected Windows Software Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"f92a380f-ced9-491f-b338-95a991418ce2\",\"atomic_attack_name\":\"Security Software Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Recon Command Output Piped To Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml\"},{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"fe613cf3-8009-4446-9a0f-bc78a15b66c9\",\"atomic_attack_name\":\"Security Software Discovery - Sysmon Service\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"1553252f-14ea-4d3b-8a08-d7a4211aa945\",\"atomic_attack_name\":\"Security Software Discovery - AV Discovery via WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Product Class Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml\"},{\"rule_name\":\"Potential Product Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"ed366cde-7d12-49df-a833-671904770b9f\",\"atomic_attack_name\":\"Modify Fax service to run PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Existing Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml\"},{\"rule_name\":\"Suspicious Service Path Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"981e2942-e433-44e9-afc1-8c957a1496b6\",\"atomic_attack_name\":\"Service Installation CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"491a4af6-a521-4b74-b23b-f7b3f1ee9e77\",\"atomic_attack_name\":\"Service Installation PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using PowerShell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"ef0581fd-528e-4662-87bc-4c2affb86940\",\"atomic_attack_name\":\"TinyTurla backdoor service w64time\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Existing Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546\",\"atomic_attack_guid\":\"547a4736-dd1c-4b48-b4fe-e916190bb2e7\",\"atomic_attack_name\":\"Persistence via ErrorHandler.cmd script execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.001\",\"atomic_attack_guid\":\"10a08978-2045-4d62-8c42-1957bbbea102\",\"atomic_attack_name\":\"Change Default File Association\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Change Default File Association Via Assoc\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.002\",\"atomic_attack_guid\":\"281201e7-de41-4dc9-b73d-f288938cbb64\",\"atomic_attack_name\":\"Set Arbitrary Binary as Screensaver\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.007\",\"atomic_attack_guid\":\"3244697d-5a3a-4dfc-941c-550f69f91a4d\",\"atomic_attack_name\":\"Netsh Helper DLL Registration\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Via Netsh Helper DLL\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.008\",\"atomic_attack_guid\":\"934e90cf-29ca-48b3-863c-411737ad44e3\",\"atomic_attack_name\":\"Replace binary of sticky keys\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Persistence Via Sticky Key Backdoor\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.008\",\"atomic_attack_guid\":\"51ef369c-5e87-4f33-88cd-6d61be63edf2\",\"atomic_attack_name\":\"Create Symbolic Link From osk.exe to cmd.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Privilege Escalation Using Symlink Between Osk and Cmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.011\",\"atomic_attack_guid\":\"9ab27e22-ee62-4211-962b-d36d9a0e6a18\",\"atomic_attack_name\":\"Application Shim Installation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Shim Database Persistence via Sdbinst.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.011\",\"atomic_attack_guid\":\"aefd6866-d753-431f-a7a4-215ca7e3f13d\",\"atomic_attack_name\":\"New shim database files created in the default shim database directory\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547\",\"atomic_attack_guid\":\"cb01b3da-b0e7-4e24-bf6d-de5223526785\",\"atomic_attack_name\":\"Add a driver\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Driver Install by pnputil.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547\",\"atomic_attack_guid\":\"5cb0b071-8a5a-412f-839d-116beb2ed9f7\",\"atomic_attack_name\":\"Driver Installation Using pnputil.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Driver Install by pnputil.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.001\",\"atomic_attack_guid\":\"e55be3fd-3521-4610-9d1a-e210e42dcf05\",\"atomic_attack_name\":\"Reg Key Run\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Direct Autorun Keys Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml\"},{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.001\",\"atomic_attack_guid\":\"554cbd88-cde1-4b56-8168-0be552eed9eb\",\"atomic_attack_name\":\"Reg Key RunOnce\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Direct Autorun Keys Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml\"},{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.001\",\"atomic_attack_guid\":\"6e1666d5-3f2b-4b9a-80aa-f011322380d4\",\"atomic_attack_name\":\"Creating Boot Verification Program Key for application execution during successful boot\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Existing Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.009\",\"atomic_attack_guid\":\"ce4fc678-364f-4282-af16-2fb4c78005ce\",\"atomic_attack_name\":\"Shortcut Modification\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1548.002\",\"atomic_attack_guid\":\"58f641ea-12e3-499a-b684-44dee46bd182\",\"atomic_attack_name\":\"Bypass UAC using Fodhelper\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add Open Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.002\",\"atomic_attack_guid\":\"b6ec082c-7384-46b3-a111-9a9b8b14e5e7\",\"atomic_attack_name\":\"Enumeration for Credentials in Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Enumeration for Credentials in Registry\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.002\",\"atomic_attack_guid\":\"af197fd7-e868-448e-9bd5-05d1bcd9d9e5\",\"atomic_attack_name\":\"Enumeration for PuTTY Credentials in Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Enumeration for Credentials in Registry\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml\"},{\"rule_name\":\"Enumeration for 3rd Party Creds From CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.004\",\"atomic_attack_guid\":\"336b25bf-4514-4684-8924-474974f28137\",\"atomic_attack_name\":\"CertUtil ExportPFX\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.004\",\"atomic_attack_guid\":\"290df60e-4b5d-4a5e-b0c7-dc5348ea0c86\",\"atomic_attack_name\":\"Export Certificates with Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.006\",\"atomic_attack_guid\":\"e9584f82-322c-474a-b831-940fd8b4455c\",\"atomic_attack_name\":\"GPP Passwords (Get-GPPPassword)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1553.003\",\"atomic_attack_guid\":\"e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675\",\"atomic_attack_name\":\"SIP (Subject Interface Package) Hijacking via Custom DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Regsvr32 Execution From Highly Suspicious Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1553.004\",\"atomic_attack_guid\":\"ca20a3f1-42b5-4e21-ad3f-1049199ec2e0\",\"atomic_attack_name\":\"Add Root Certificate to CurrentUser Certificate Store\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"c89becbe-1758-4e7d-a0f4-97d2188a23e3\",\"atomic_attack_name\":\"Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"8fd5a296-6772-4766-9991-ff4e92af7240\",\"atomic_attack_name\":\"Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"36753ded-e5c4-4eb5-bc3c-e8fba236878d\",\"atomic_attack_name\":\"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Credential Manager Access via VaultCmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"bc071188-459f-44d5-901a-f8f2625b2d2e\",\"atomic_attack_name\":\"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Credential Manager Access via VaultCmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"8c05b133-d438-47ca-a630-19cc464c4622\",\"atomic_attack_name\":\"Run Chrome-password Collector\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"9a2915b3-3954-4cce-8c76-00fbf4dbd014\",\"atomic_attack_name\":\"LaZagne - Credentials from Browser\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - LaZagne Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"3d111226-d09a-4911-8715-fe11664f960d\",\"atomic_attack_name\":\"Simulating access to Chrome Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"28498c17-57e4-495a-b0be-cc1e36de408b\",\"atomic_attack_name\":\"Simulating access to Opera Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"eb8da98a-2e16-4551-b3dd-83de49baa14c\",\"atomic_attack_name\":\"Simulating access to Windows Firefox Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"a6a5ec26-a2d1-4109-9d35-58b867689329\",\"atomic_attack_name\":\"Simulating access to Windows Edge Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"70422253-8198-4019-b617-6be401b49fce\",\"atomic_attack_name\":\"Dump Chrome Login Data with esentutl\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.004\",\"atomic_attack_guid\":\"9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439\",\"atomic_attack_name\":\"Access Saved Credentials via VaultCmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Credential Manager Access via VaultCmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1560.001\",\"atomic_attack_guid\":\"8dd61a55-44c6-43cc-af0c-8bdda276860c\",\"atomic_attack_name\":\"Compress Data and lock with password for Exfiltration with winrar\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Rar Usage with Password and Compression Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1560.001\",\"atomic_attack_guid\":\"01df0353-d531-408d-a0c5-3161bf822134\",\"atomic_attack_name\":\"Compress Data and lock with password for Exfiltration with winzip\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Compress Data and Lock With Password for Exfiltration With WINZIP\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562\",\"atomic_attack_guid\":\"40075d5f-3a70-4c66-9125-f72bee87247d\",\"atomic_attack_name\":\"Windows Disable LSA Protection\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LSA PPL Protection Disabled Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"811b3e76-c41b-430c-ac0d-e2380bfaa164\",\"atomic_attack_name\":\"Unload Sysmon Filter Driver\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Sysmon Driver Unloaded Via Fltmc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml\"},{\"rule_name\":\"Filter Driver Unloaded Via Fltmc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"695eed40-e949-40e5-b306-b4031e4154bd\",\"atomic_attack_name\":\"AMSI Bypass - AMSI InitFailed\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential AMSI Bypass Via .NET Reflection\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"a1230893-56ac-4c81-b644-2108e982f8f5\",\"atomic_attack_name\":\"Disable Arbitrary Security Windows Service\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Service StartupType Change Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"aa875ed4-8935-47e2-b2c5-6ec00ab220d2\",\"atomic_attack_name\":\"Tamper with Windows Defender Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Service StartupType Change Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml\"},{\"rule_name\":\"Disable Windows Defender AV Security Monitoring\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml\"},{\"rule_name\":\"Suspicious Windows Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"3d47daaa-2f56-43e0-94cc-caf5d8d52a68\",\"atomic_attack_name\":\"Remove Windows Defender Definition Files\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Defender Definition Files Removed\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297\",\"atomic_attack_name\":\"Uninstall Crowdstrike Falcon on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Uninstall Crowdstrike Falcon Sensor\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"24a12b91-05a7-4deb-8d7f-035fa98591bc\",\"atomic_attack_name\":\"Kill antimalware protected processes using Backstab\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"66fb0bc1-3c3f-47e9-a298-550ecfefacbc\",\"atomic_attack_name\":\"Powershell Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1003.002\",\"atomic_attack_guid\":\"5c2571d0-1572-416d-9676-812e64ca9f44\",\"atomic_attack_name\":\"Registry dump of SAM, creds, and secrets\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Attempted Credential Dump From Registry via Reg exe\",\"rule_link\":\"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/\"}],\"sigma_rules\":[{\"rule_name\":\"Dumping of Sensitive Hives Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml\"}]},{\"tech_id\":\"T1003.002\",\"atomic_attack_guid\":\"a90c2f4d-6726-444e-99d2-a00cd7c20480\",\"atomic_attack_name\":\"esentutl.exe SAM copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Esentutl SAM Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d372f928-ce4f-11eb-a762-acde48001122/\"}]},{\"tech_id\":\"T1003.002\",\"atomic_attack_guid\":\"eeb9751a-d598-42d3-b11c-c122d9c3f6c7\",\"atomic_attack_name\":\"dump volume shadow copy hives with certutil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Sensitive File Access Via Volume Shadow Copy Backup\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml\"},{\"rule_name\":\"File Encoded To Base64 Via Certutil.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml\"},{\"rule_name\":\"File In Suspicious Location Encoded To Base64 Via Certutil.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Credential Dumping via Copy Command from Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f\",\"atomic_attack_name\":\"Create Volume Shadow Copy with vssadmin\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Creation of Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"c6237146-9ea6-4711-85c9-c56d263a6b03\",\"atomic_attack_name\":\"Copy NTDS.dit from Volume Shadow Copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"Sensitive File Access Via Volume Shadow Copy Backup\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml\"},{\"rule_name\":\"Suspicious Process Patterns NTDS.DIT Exfil\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml\"},{\"rule_name\":\"Copy From VolumeShadowCopy Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Attempted Credential Dump From Registry via Reg exe\",\"rule_link\":\"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/\"},{\"rule_name\":\"Credential Dumping via Copy Command from Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"224f7de0-8f0a-4a94-b5d8-989b036c86da\",\"atomic_attack_name\":\"Create Volume Shadow Copy with WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"},{\"rule_name\":\"System Disk And Volume Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Creation of Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"d893459f-71f0-484d-9808-ec83b2b64226\",\"atomic_attack_name\":\"Create Volume Shadow Copy remotely with WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"},{\"rule_name\":\"System Disk And Volume Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Creation of Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"21c7bf80-3e8b-40fa-8f9d-f5b194ff2865\",\"atomic_attack_name\":\"Create Volume Shadow Copy remotely (WMI) with esentutl\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Credential Dumping via Copy Command from Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/\"},{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"},{\"rule_name\":\"Remote Process Instantiation via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"21748c28-2793-4284-9e07-d6d028b66702\",\"atomic_attack_name\":\"Create Symlink to Volume Shadow Copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"VolumeShadowCopy Symlink Creation Via Mklink\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml\"},{\"rule_name\":\"Sensitive File Access Via Volume Shadow Copy Backup\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml\"},{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Credential Dumping via Symlink to Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/c5eac648-fae0-4263-91a6-773df1f4c903/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"b385996c-0e7d-4e27-95a4-aca046b119a7\",\"atomic_attack_name\":\"Create Volume Shadow Copy with diskshadow\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Diskshadow Script Mode Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"},{\"rule_name\":\"Windows Diskshadow Proxy Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/\"}]},{\"tech_id\":\"T1003.004\",\"atomic_attack_guid\":\"55295ab0-a703-433b-9ca4-ae13807de12f\",\"atomic_attack_name\":\"Dumping LSA Secrets\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Psexec Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Attempted Credential Dump From Registry via Reg exe\",\"rule_link\":\"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/\"},{\"rule_name\":\"Detect PsExec With accepteula Flag\",\"rule_link\":\"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/\"}]},{\"tech_id\":\"T1003.004\",\"atomic_attack_guid\":\"2dfa3bff-9a27-46db-ab75-7faefdaca732\",\"atomic_attack_name\":\"Dump Kerberos Tickets from LSA using dumper.ps1\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1003.006\",\"atomic_attack_guid\":\"129efd28-8497-4c87-a1b0-73b9a870ca3e\",\"atomic_attack_name\":\"DCSync (Active Directory)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Operator Bloopers Cobalt Strike Commands\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Mimikatz Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/\"}]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"9bb45dd7-c466-4f93-83a1-be30e56033ee\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Subnet Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"34557863-344a-468f-808b-a1bfb89b4fa9\",\"atomic_attack_name\":\"DNS Server Discovery Using nslookup\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Network Reconnaissance Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows System Discovery Using ldap Nslookup\",\"rule_link\":\"https://research.splunk.com/endpoint/2418780f-7c3e-4c45-b8b4-996ea850cd49/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"85321a9c-897f-4a60-9f20-29788e50bccd\",\"atomic_attack_name\":\"Remote System Discovery - net\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Share And Session Enumeration Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote System Discovery with Net\",\"rule_link\":\"https://research.splunk.com/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"f1bf6c8f-9016-4edf-aff9-80b65f5d711f\",\"atomic_attack_name\":\"Remote System Discovery - net group Domain Computers\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"},{\"rule_name\":\"Remote System Discovery with Net\",\"rule_link\":\"https://research.splunk.com/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"52ab5108-3f6f-42fb-8ba3-73bc054f22c8\",\"atomic_attack_name\":\"Remote System Discovery - nltest\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Recon Activity Via Nltest.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml\"},{\"rule_name\":\"Nltest.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Controller Discovery with Nltest\",\"rule_link\":\"https://research.splunk.com/endpoint/41243735-89a7-4c83-bcdd-570aa78f00a1/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"a889f5be-2d54-4050-bd05-884578748bb4\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Computer Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"97e89d9e-e3f5-41b5-a90f-1e0825df0fdf\",\"atomic_attack_name\":\"Enumerate Active Directory Computers with Get-AdComputer\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"},{\"rule_name\":\"GetAdComputer with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getadcomputer_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad\",\"atomic_attack_name\":\"Get-WmiObject to Enumerate Domain Controllers\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetWmiObject Ds Computer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3/\"},{\"rule_name\":\"GetWmiObject Ds Computer with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"5843529a-5056-4bc1-9c13-a311e2af4ca0\",\"atomic_attack_name\":\"Remote System Discovery - net group Domain Controller\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"}]},{\"tech_id\":\"T1021.002\",\"atomic_attack_guid\":\"3386975b-367a-4fbb-9d77-4dcf3639ffd3\",\"atomic_attack_name\":\"Map admin share\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Windows Admin Share Mount Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml\"},{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"}]},{\"tech_id\":\"T1021.002\",\"atomic_attack_guid\":\"0eb03d41-79e4-4393-8e57-6344856be1cf\",\"atomic_attack_name\":\"Copy and Execute File with PsExec\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Psexec Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect PsExec With accepteula Flag\",\"rule_link\":\"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/\"}]},{\"tech_id\":\"T1021.002\",\"atomic_attack_guid\":\"d41aaab5-bdfe-431d-a3d5-c29e9136ff46\",\"atomic_attack_name\":\"Execute command writing output to local Admin Share\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Redirection to Local Admin Share\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml\"},{\"rule_name\":\"HackTool - CrackMapExec Execution Patterns\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Impacket Lateral Movement Commandline Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/8ce07472-496f-11ec-ab3b-3e22fbd008af/\"}]},{\"tech_id\":\"T1021.003\",\"atomic_attack_guid\":\"6dc74eb1-c9d6-4c53-b3b5-6f50ae339673\",\"atomic_attack_name\":\"PowerShell Lateral Movement using MMC20\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Remote Process Instantiation via DCOM and PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/d4f42098-4680-11ec-ad07-3e22fbd008af/\"},{\"rule_name\":\"Remote Process Instantiation via DCOM and PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1021.004\",\"atomic_attack_guid\":\"280812c8-4dae-43e9-a74e-1d08ab997c0e\",\"atomic_attack_name\":\"ESXi - Enable SSH via VIM-CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1033\",\"atomic_attack_guid\":\"1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b\",\"atomic_attack_name\":\"GetCurrent User with PowerShell Script\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetCurrent User with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/7eb9c3d5-c98c-4088-acc5-8240bad15379/\"},{\"rule_name\":\"GetCurrent User with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getcurrent_user_with_powershell_script_block.yml\"},{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Get Current User\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml\"},{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"24136435-c91a-4ede-9da1-8b284a1c1a23\",\"atomic_attack_name\":\"Masquerading - wscript.exe running as svchost.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Rename Of Highly Relevant Binaries\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml\"}],\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9\",\"atomic_attack_name\":\"Creating W32Time similar named service using schtasks\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Command Patterns In Scheduled Task Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml\"},{\"rule_name\":\"Schtasks Creation Or Modification With SYSTEM Privileges\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Schtasks Create Run As System\",\"rule_link\":\"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"c107778c-dcf5-47c5-af2e-1d058a3df3ea\",\"atomic_attack_name\":\"WMI Reconnaissance Users\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Local Account Discovery With Wmic\",\"rule_link\":\"https://research.splunk.com/endpoint/4902d7aa-0134-11ec-9d65-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"0fd48ef7-d890-4e93-a533-f7dedd5191d3\",\"atomic_attack_name\":\"WMI Reconnaissance List Remote Services\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Service Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3\",\"atomic_attack_name\":\"WMI Execute Local Process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"9c8ef159-c666-472f-9874-90c8d60d136b\",\"atomic_attack_name\":\"WMI Execute Remote Process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"},{\"rule_name\":\"Remote Process Instantiation via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"7db7a7f9-9531-4840-9b30-46220135441c\",\"atomic_attack_name\":\"Create a Process using WMI Query and an Encoded Command\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Base64 Encoded Invoke Keyword\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml\"},{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Suspicious PowerShell Parameter Substring\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml\"},{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"00738d2a-4651-4d76-adf2-c43a41dfb243\",\"atomic_attack_name\":\"WMI Execute rundll32\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"},{\"rule_name\":\"Remote Process Instantiation via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"c510d25b-1667-467d-8331-a56d3e9bc4ff\",\"atomic_attack_name\":\"Application uninstall using WMIC\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"},{\"rule_name\":\"Application Removed Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml\"},{\"rule_name\":\"Potential Product Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"}]},{\"tech_id\":\"T1048.002\",\"atomic_attack_guid\":\"1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0\",\"atomic_attack_name\":\"Exfiltrate data HTTPS using curl windows\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Curl Upload to Remote Destination\",\"rule_link\":\"https://research.splunk.com/endpoint/42f8f1a2-4228-11ec-aade-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1049\",\"atomic_attack_guid\":\"f069f0f1-baad-4831-aa2b-eddac4baac4a\",\"atomic_attack_name\":\"System Network Connections Discovery with PowerShell\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/e02af35c-1de5-4afe-b4be-f45aba57272b/\"},{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Use Get-NetTCPConnection - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"fec27f65-db86-4c2d-b66c-61945aee87c2\",\"atomic_attack_name\":\"Scheduled Task Startup Script\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Schtasks Schedule Type With High Privileges\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml\"},{\"rule_name\":\"Suspicious Command Patterns In Scheduled Task Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml\"},{\"rule_name\":\"Schtasks Creation Or Modification With SYSTEM Privileges\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Schtasks Create Run As System\",\"rule_link\":\"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"2e5eac3e-327b-4a88-a0c0-c4057039a8dd\",\"atomic_attack_name\":\"Scheduled task Remote\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Schtasks Create Run As System\",\"rule_link\":\"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"704333ca-cc12-4bcf-9916-101844881f54\",\"atomic_attack_name\":\"Scheduled Task (\\\"Ghost Task\\\") via Registry Key Manipulation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1055.001\",\"atomic_attack_guid\":\"8b56f787-73d9-4f1d-87e8-d07e89cbc7f5\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Potential WinAPI Calls Via CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1059\",\"atomic_attack_guid\":\"a9b93f17-31cb-435d-a462-5e838a2a6026\",\"atomic_attack_name\":\"AutoIt Script Execution\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows AutoIt3 Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/0ecb40d9-492b-4a57-9f87-515dd742794c/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"f3132740-55bc-48c4-bcc0-758a459cd027\",\"atomic_attack_name\":\"Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious Nishang PowerShell Commandlets\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Keywords\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious PowerShell Scripts - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Fileless Script Contains Base64 Encoded Content\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\"},{\"rule_name\":\"Recon Using WMI Class\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/recon_using_wmi_class.yml\"},{\"rule_name\":\"Detect Mimikatz With PowerShell Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml\"},{\"rule_name\":\"Powershell Fileless Process Injection via GetProcAddress\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"06a220b6-7e29-4bd8-9d07-5b4d86742372\",\"atomic_attack_name\":\"Invoke-AppPathBypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"388a7340-dbc1-4c9d-8e59-b75ad8c6d5da\",\"atomic_attack_name\":\"Powershell MsXml COM object - with prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell IEX Execution Patterns\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml\"},{\"rule_name\":\"Suspicious PowerShell Parameter Substring\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml\"},{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"},{\"rule_name\":\"Powershell MsXml COM Object\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"8a2ad40b-12c7-4b25-8521-2737b0a415af\",\"atomic_attack_name\":\"Powershell invoke mshta.exe download\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"686a9785-f99b-41d4-90df-66ed515f81d7\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -Command parameter variations\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"1c0a870f-dc74-49cf-9afc-eccc45e58790\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"86a43bad-12e3-4e85-b97c-4d5cf25b95c3\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"0d181431-ddf3-4826-8055-2dbf63ae848b\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"6a5b2a50-d037-4879-bf01-43d4d6cbf73f\",\"atomic_attack_name\":\"SOAPHound - Dump BloodHound Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SOAPHound Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows SOAPHound Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/\"},{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"4099086c-1470-4223-8085-8186e1ed5948\",\"atomic_attack_name\":\"SOAPHound - Build Cache\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SOAPHound Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows SOAPHound Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/\"},{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"1f454dd6-e134-44df-bebb-67de70fb6cd8\",\"atomic_attack_name\":\"Basic Permission Groups Discovery Windows (Local)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Net Localgroup Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"e03ada14-0980-4107-aff1-7783b2b59bb1\",\"atomic_attack_name\":\"SharpHound3 - LocalAdmin\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect SharpHound Usage\",\"rule_link\":\"https://research.splunk.com/endpoint/dd04b29a-beed-11eb-87bc-acde48001122/\"},{\"rule_name\":\"Detect SharpHound Command-Line Arguments\",\"rule_link\":\"https://research.splunk.com/endpoint/a0bdd2f6-c2ff-11eb-b918-acde48001122/\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"7413be50-be8e-430f-ad4d-07bf197884b2\",\"atomic_attack_name\":\"Wmic Group Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Local Groups Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Wmic Group Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/83317b08-155b-11ec-8e00-acde48001122/\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"69119e58-96db-4110-ad27-954e48f3bb13\",\"atomic_attack_name\":\"WMIObject Group Discovery\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Get WMIObject Group Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/5434f670-155d-11ec-8cca-acde48001122/\"},{\"rule_name\":\"Get WMIObject Group Discovery with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Suspicious Get Local Groups Information - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7\",\"atomic_attack_name\":\"Permission Groups Discovery PowerShell (Domain)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"48ddc687-82af-40b7-8472-ff1e742e8274\",\"atomic_attack_name\":\"Adfind - Query Active Directory Groups\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8\",\"atomic_attack_name\":\"Enumerate Active Directory Groups with Get-AdGroup\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdGroup with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/872e3063-0fc4-4e68-b2f3-f2b99184a708/\"},{\"rule_name\":\"GetAdGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getadgroup_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Group Enumeration With Get-AdGroup\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8\",\"atomic_attack_name\":\"Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Get ADUser with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0b6ee3f4-04e3-11ec-a87d-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"ded937c4-2add-42f7-9c2c-c742b7a98698\",\"atomic_attack_name\":\"Delete an entire folder - Windows cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"},{\"rule_name\":\"Directory Removal Via Rmdir\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml\"},{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Indicator Removal Via Rmdir\",\"rule_link\":\"https://research.splunk.com/endpoint/c4566d2c-b094-48a1-9c59-d66e22065560/\"}]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"f723d13d-48dc-4317-9990-cf43a9ac0bf2\",\"atomic_attack_name\":\"Clears Recycle bin via rd\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Recursive Delete of Directory In Batch CMD\",\"rule_link\":\"https://research.splunk.com/endpoint/ba570b3a-d356-11eb-8358-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}]},{\"tech_id\":\"T1071.004\",\"atomic_attack_guid\":\"e7bf9802-2e78-4db9-93b5-181b7bcd37d7\",\"atomic_attack_name\":\"DNS C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1078.001\",\"atomic_attack_guid\":\"aa6cb8c4-b582-4f8e-b677-37733914abda\",\"atomic_attack_name\":\"Activate Guest Account\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Manipulation Of Default Accounts Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1078.003\",\"atomic_attack_guid\":\"6904235f-0f55-4039-8aed-41c300ff7733\",\"atomic_attack_name\":\"Use PsExec to elevate to NT Authority\\\\SYSTEM account\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Psexec Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect PsExec With accepteula Flag\",\"rule_link\":\"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"07b18a66-6304-47d2-bad0-ef421eb2e107\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Watson searching for missing windows patches\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"efb79454-1101-4224-a4d0-30c9c8b29ffc\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"5c16ceb4-ba3a-43d7-b848-a13c1f216d95\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Seatbelt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"2040405c-eea6-4c1c-aef3-c2acc430fac9\",\"atomic_attack_name\":\"ESXi - VM Discovery using ESXCLI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"f89812e5-67d1-4f49-86fa-cbc6609ea86a\",\"atomic_attack_name\":\"ESXi - Darkside system information discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1083\",\"atomic_attack_guid\":\"4a233a40-caf7-4cf1-890a-c6331bbc72cf\",\"atomic_attack_name\":\"ESXi - Enumerate VMDKs available on an ESXi Host\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1087.001\",\"atomic_attack_guid\":\"a138085e-bfe5-46ba-a242-74a6fb884af3\",\"atomic_attack_name\":\"Enumerate logged on users via CMD (Local)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"System User Discovery With Query\",\"rule_link\":\"https://research.splunk.com/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}]},{\"tech_id\":\"T1087.001\",\"atomic_attack_guid\":\"9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c\",\"atomic_attack_name\":\"ESXi - Local Account Discovery via ESXCLI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"},{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"6fbc9e68-5ad7-444a-bd11-8bf3136c477e\",\"atomic_attack_name\":\"Enumerate all accounts (Domain)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"161dcd85-d014-4f5e-900c-d3eaae82a0f7\",\"atomic_attack_name\":\"Enumerate logged on users via CMD (Domain)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"System User Discovery With Query\",\"rule_link\":\"https://research.splunk.com/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"e1ec8d20-509a-4b9a-b820-06c9b2da8eb7\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory User Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef\",\"atomic_attack_name\":\"Enumerate Default Domain Admin Details (Domain)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Manipulation Of Default Accounts Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Account Discovery With Net App\",\"rule_link\":\"https://research.splunk.com/endpoint/339805ce-ac30-11eb-b87d-acde48001122/\"},{\"rule_name\":\"Domain Account Discovery With Net App\",\"rule_link\":\"https://research.splunk.com/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/\"},{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"394012d9-2164-4d4f-b9e5-acf30ba933fe\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with Get-ADComputer all properties\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"6e85bdf9-7bc4-4259-ac0f-f0cb39964443\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"ffbcfd62-15d6-4989-a21a-80bfc8e58bb5\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1095\",\"atomic_attack_guid\":\"0268e63c-e244-42db-bef7-72a9e59fc1fc\",\"atomic_attack_name\":\"ICMP C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious DNS Z Flag Bit Set\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1095\",\"atomic_attack_guid\":\"3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e\",\"atomic_attack_name\":\"Powercat C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious DNS Z Flag Bit Set\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"dd3b61dd-7bbc-48cd-ab51-49ad1a776df0\",\"atomic_attack_name\":\"certutil download (urlcache)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"Suspicious Download Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml\"},{\"rule_name\":\"Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b\",\"atomic_attack_name\":\"Windows - BITSAdmin BITS Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Download From File-Sharing Website Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To A Suspicious Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To An Uncommon Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml\"},{\"rule_name\":\"File With Suspicious Extension Downloaded Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"File Download Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"BITSAdmin Download File\",\"rule_link\":\"https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"42dc4460-9aa6-45d3-b1a6-3955d34e1fe8\",\"atomic_attack_name\":\"Windows - PowerShell Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell DownloadFile\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadFile\",\"rule_link\":\"https://research.splunk.com/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"54a4daf1-71df-4383-9ba7-f1a295d8b6d2\",\"atomic_attack_name\":\"File Download via PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"b1729c57-9384-4d1c-9b99-9b220afb384e\",\"atomic_attack_name\":\"Nimgrab - Transfer Files\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"66ee226e-64cb-4dae-80e3-5bf5763e4a51\",\"atomic_attack_name\":\"Arbitrary file download using the Notepad++ GUP.exe binary\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious GUP Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"},{\"rule_name\":\"File Download Using Notepad++ GUP Utility\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}]},{\"tech_id\":\"T1106\",\"atomic_attack_guid\":\"ce4e76e6-de70-4392-9efe-b281fc2b4087\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1106\",\"atomic_attack_guid\":\"7ec5b74e-8289-4ff2-a162-b6f286a33abd\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1106\",\"atomic_attack_guid\":\"e1f93a06-1649-4f07-89a8-f57279a7d60e\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1110.001\",\"atomic_attack_guid\":\"ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5\",\"atomic_attack_name\":\"ESXi - Brute Force Until Account Lockout\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1110.002\",\"atomic_attack_guid\":\"6d27df5d-69d4-4c91-bc33-5983ffe91692\",\"atomic_attack_name\":\"Password Cracking with Hashcat\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Hashcat Password Cracker Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"f3a6cceb-06c9-48e5-8df8-8867a6814245\",\"atomic_attack_name\":\"Change Powershell Execution Policy to Bypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"ecbd533e-b45d-4239-aeff-b857c6f6d68b\",\"atomic_attack_name\":\"Flush Shimcache\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"ShimCache Flush\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Rundll32 Shimcache Flush\",\"rule_link\":\"https://research.splunk.com/endpoint/a913718a-25b6-11ec-96d3-acde48001122/\"}]},{\"tech_id\":\"T1114.001\",\"atomic_attack_guid\":\"3f1b5096-0139-4736-9b78-19bcb02bb1cb\",\"atomic_attack_name\":\"Email Collection with PowerShell Get-Inbox\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Script Interpreter Execution From Suspicious Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml\"},{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"},{\"rule_name\":\"Powershell Local Email Collection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}]},{\"tech_id\":\"T1124\",\"atomic_attack_guid\":\"d5d5a6b0-0f92-42d8-985d-47aafa2dd4db\",\"atomic_attack_name\":\"System Time Discovery W32tm as a Delay\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use of W32tm as Timer\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_w32tm.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows System Time Discovery W32tm Delay\",\"rule_link\":\"https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/\"}]},{\"tech_id\":\"T1129\",\"atomic_attack_guid\":\"7f843046-abf2-443f-b880-07a83cf968ec\",\"atomic_attack_name\":\"ESXi - Install a custom VIB on an ESXi host\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"},{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}]},{\"tech_id\":\"T1134.002\",\"atomic_attack_guid\":\"ccf4ac39-ec93-42be-9035-90e2f26bcd92\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1134.005\",\"atomic_attack_guid\":\"6bef32e5-9456-4072-8f14-35566fb85401\",\"atomic_attack_name\":\"Injection SID-History with mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Mimikatz Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/\"}]},{\"tech_id\":\"T1136.001\",\"atomic_attack_guid\":\"6657864e-0323-4206-9344-ac9cd7265a4f\",\"atomic_attack_name\":\"Create a new user in a command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1136.001\",\"atomic_attack_guid\":\"fda74566-a604-4581-a4cc-fbbe21d66559\",\"atomic_attack_name\":\"Create a new Windows admin user\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"User Added to Local Administrators Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"},{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Net Localgroup Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/\"}]},{\"tech_id\":\"T1136.001\",\"atomic_attack_guid\":\"2170d9b5-bacd-4819-a952-da76dae0815f\",\"atomic_attack_name\":\"Create a new Windows admin user via .NET\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1136.002\",\"atomic_attack_guid\":\"fcec2963-9951-4173-9bfa-98d8b7834e62\",\"atomic_attack_name\":\"Create a new Windows domain admin user\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"},{\"rule_name\":\"Elevated Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/a23a0e20-0b1b-4a07-82e5-ec5f70811e7a/\"}]},{\"tech_id\":\"T1136.002\",\"atomic_attack_guid\":\"dc7726d2-8ccb-4cc6-af22-0d5afb53a548\",\"atomic_attack_name\":\"Create a new account similar to ANONYMOUS LOGON\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"},{\"rule_name\":\"Domain Account Discovery With Net App\",\"rule_link\":\"https://research.splunk.com/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/\"}]},{\"tech_id\":\"T1187\",\"atomic_attack_guid\":\"7f06b25c-799e-40f1-89db-999c9cc84317\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1195\",\"atomic_attack_guid\":\"82a9f001-94c5-495e-9ed5-f530dbded5e2\",\"atomic_attack_name\":\"Octopus Scanner Malware Open Source Supply Chain\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}]},{\"tech_id\":\"T1197\",\"atomic_attack_guid\":\"3c73d728-75fb-4180-a12f-6712864d7421\",\"atomic_attack_name\":\"Bitsadmin Download (cmd)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Download From File-Sharing Website Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To A Suspicious Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To An Uncommon Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml\"},{\"rule_name\":\"File With Suspicious Extension Downloaded Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml\"},{\"rule_name\":\"File Download Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"BITSAdmin Download File\",\"rule_link\":\"https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/\"}]},{\"tech_id\":\"T1197\",\"atomic_attack_guid\":\"f63b8bc4-07e5-4112-acba-56f646f3f0bc\",\"atomic_attack_name\":\"Bitsadmin Download (PowerShell)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"PowerShell Start-BitsTransfer\",\"rule_link\":\"https://research.splunk.com/endpoint/39e2605a-90d8-11eb-899e-acde48001122/\"}]},{\"tech_id\":\"T1197\",\"atomic_attack_guid\":\"afb5e09e-e385-4dee-9a94-6ee60979d114\",\"atomic_attack_name\":\"Bits download using desktopimgdownldr.exe (cmd)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Desktopimgdownldr Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"46c2c362-2679-4ef5-aec9-0e958e135be4\",\"atomic_attack_name\":\"Examine domain password policy - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Password Policy Discovery with Net\",\"rule_link\":\"https://research.splunk.com/endpoint/09336538-065a-11ec-8665-acde48001122/\"}]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"b2698b33-984c-4a1c-93bb-e4ba72a0babb\",\"atomic_attack_name\":\"Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Get ADDefaultDomainPasswordPolicy with Powershell\",\"rule_link\":\"https://research.splunk.com/endpoint/36e46ebe-065a-11ec-b4c7-acde48001122/\"},{\"rule_name\":\"Get ADDefaultDomainPasswordPolicy with Powershell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml\"}]},{\"tech_id\":\"T1216\",\"atomic_attack_guid\":\"275d963d-3f36-476c-8bef-a2a3960ee6eb\",\"atomic_attack_name\":\"SyncAppvPublishingServer Signed Script PowerShell Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows System Script Proxy Execution Syncappvpublishingserver\",\"rule_link\":\"https://research.splunk.com/endpoint/8dd73f89-682d-444c-8b41-8e679966ad3c/\"}]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"c426dacf-575d-4937-8611-a148a86a5e61\",\"atomic_attack_name\":\"mavinject - Inject DLL into running process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Mavinject Inject DLL Into Running Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Binary Proxy Execution Mavinject DLL Injection\",\"rule_link\":\"https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/\"}]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"4cc40fd7-87b8-4b16-b2d7-57534b86b911\",\"atomic_attack_name\":\"Renamed Microsoft.Workflow.Compiler.exe Payload Executions\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Masquerading As SvcHost.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml\"},{\"rule_name\":\"Uncommon Svchost Parent Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml\"},{\"rule_name\":\"System File Execution Location Anomaly\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"}]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"0e1483ba-8f0c-425d-b8c6-42736e058eaa\",\"atomic_attack_name\":\"DiskShadow Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Diskshadow Script Mode Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Diskshadow Proxy Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/\"}]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"5cb87818-0d7c-4469-b7ef-9224107aebe8\",\"atomic_attack_name\":\"Compiled HTML Help Local Payload\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"}]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"0f8af516-9818-4172-922b-42986ef1e81d\",\"atomic_attack_name\":\"Compiled HTML Help Remote Payload\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml\"},{\"rule_name\":\"Remote CHM File Download/Execution Via HH.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"},{\"rule_name\":\"Detect HTML Help URL in Command Line\",\"rule_link\":\"https://research.splunk.com/endpoint/8c5835b9-39d9-438b-817c-95f14c69a31e/\"}]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"15756147-7470-4a83-87fb-bb5662526247\",\"atomic_attack_name\":\"Invoke CHM Shortcut Command with ITS and Help Topic\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"20cb05e0-1fa5-406d-92c1-84da4ba01813\",\"atomic_attack_name\":\"Decompile Local CHM File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml\"},{\"rule_name\":\"Suspicious HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"},{\"rule_name\":\"Windows System Binary Proxy Execution Compiled HTML File Decompile\",\"rule_link\":\"https://research.splunk.com/endpoint/2acf0e19-4149-451c-a3f3-39cd3c77e37d/\"}]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d\",\"atomic_attack_name\":\"Msiexec.exe - Execute the DllRegisterServer function of a DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Msiexec Execute Arbitrary DLL\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MSIExec DLLRegisterServer\",\"rule_link\":\"https://research.splunk.com/endpoint/fdb59aef-d88f-4909-8369-ec2afbd2c398/\"}]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"ab09ec85-4955-4f9c-b8e0-6851baf4d47f\",\"atomic_attack_name\":\"Msiexec.exe - Execute the DllUnregisterServer function of a DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DllUnregisterServer Function Call Via Msiexec.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MSIExec Unregister DLLRegisterServer\",\"rule_link\":\"https://research.splunk.com/endpoint/a27db3c5-1a9a-46df-a577-765d3f1a3c24/\"}]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"44a4bedf-ffe3-452e-bee4-6925ab125662\",\"atomic_attack_name\":\"Msiexec.exe - Execute Remote MSI file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"},{\"rule_name\":\"Suspicious Msiexec Quiet Install From Remote Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MSIExec Remote Download\",\"rule_link\":\"https://research.splunk.com/endpoint/6aa49ff2-3c92-4586-83e0-d83eb693dfda/\"}]},{\"tech_id\":\"T1218.008\",\"atomic_attack_guid\":\"2430498b-06c0-4b92-a448-8ad263c388e2\",\"atomic_attack_name\":\"Odbcconf.exe - Execute Arbitrary DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New DLL Registered Via Odbcconf.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Odbcconf Hunting\",\"rule_link\":\"https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/\"},{\"rule_name\":\"Windows Odbcconf Load DLL\",\"rule_link\":\"https://research.splunk.com/endpoint/141e7fca-a9f0-40fd-a539-9aac8be41f1b/\"}]},{\"tech_id\":\"T1218.008\",\"atomic_attack_guid\":\"331ce274-f9c9-440b-9f8c-a1006e1fce0b\",\"atomic_attack_name\":\"Odbcconf.exe - Load Response File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Response File Execution Via Odbcconf.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Odbcconf Load Response File\",\"rule_link\":\"https://research.splunk.com/endpoint/1acafff9-1347-4b40-abae-f35aa4ba85c1/\"},{\"rule_name\":\"Windows Odbcconf Hunting\",\"rule_link\":\"https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/\"}]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"449aa403-6aba-47ce-8a37-247d21ef0306\",\"atomic_attack_name\":\"Regsvr32 local COM scriptlet execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Potential Regsvr32 Commandline Flag Anomaly\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Regsvr32 Application Control Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/\"}]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36\",\"atomic_attack_name\":\"Regsvr32 remote COM scriptlet execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Potential Regsvr32 Commandline Flag Anomaly\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml\"},{\"rule_name\":\"Potentially Suspicious Regsvr32 HTTP/FTP Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Regsvr32 Application Control Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/\"}]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421\",\"atomic_attack_name\":\"Regsvr32 Registering Non DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Regsvr32 DLL Execution With Suspicious File Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml\"},{\"rule_name\":\"Regsvr32 Execution From Potential Suspicious Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml\"},{\"rule_name\":\"Regsvr32 DLL Execution With Uncommon Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Suspicious Regsvr32 Register Suspicious Path\",\"rule_link\":\"https://research.splunk.com/endpoint/62732736-6250-11eb-ae93-0242ac130002/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"32d1cf1b-cbc2-4c09-8d05-07ec5c83a821\",\"atomic_attack_name\":\"Rundll32 execute VBscript command using Ordinal number\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"DLL Call by Ordinal Via Rundll32.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml\"},{\"rule_name\":\"Mshtml.DLL RunHTMLApplication Suspicious Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"RunDLL Loading DLL By Ordinal\",\"rule_link\":\"https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"d91cae26-7fc1-457b-a854-34c8aad48c89\",\"atomic_attack_name\":\"Rundll32 advpack.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - advpack\",\"rule_link\":\"https://research.splunk.com/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"5e46a58e-cbf6-45ef-a289-ed7754603df9\",\"atomic_attack_name\":\"Rundll32 ieadvpack.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - advpack\",\"rule_link\":\"https://research.splunk.com/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"41fa324a-3946-401e-bbdd-d7991c628125\",\"atomic_attack_name\":\"Rundll32 syssetup.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - syssetup\",\"rule_link\":\"https://research.splunk.com/endpoint/71b9bf37-cde1-45fb-b899-1b0aa6fa1183/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"71d771cd-d6b3-4f34-bc76-a63d47a10b19\",\"atomic_attack_name\":\"Rundll32 setupapi.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - setupapi\",\"rule_link\":\"https://research.splunk.com/endpoint/61e7b44a-6088-4f26-b788-9a96ba13b37a/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"ae3a8605-b26e-457c-b6b3-2702fd335bac\",\"atomic_attack_name\":\"Execution of non-dll using rundll32.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Rundll32 Execution With Image Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"},{\"rule_name\":\"Suspicious Rundll32 StartW\",\"rule_link\":\"https://research.splunk.com/endpoint/9319dda5-73f2-4d43-a85a-67ce961bddb7/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"9fd5a74b-ba89-482a-8a3e-a5feaa3697b0\",\"atomic_attack_name\":\"Rundll32 with Ordinal Value\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DLL Call by Ordinal Via Rundll32.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml\"}],\"splunk_rules\":[{\"rule_name\":\"RunDLL Loading DLL By Ordinal\",\"rule_link\":\"https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"e4c04b6f-c492-4782-82c7-3bf75eb8077e\",\"atomic_attack_name\":\"Rundll32 with Control_RunDLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Rundll32 Control RunDLL Hunt\",\"rule_link\":\"https://research.splunk.com/endpoint/c8e7ced0-10c5-11ec-8b03-acde48001122/\"}]},{\"tech_id\":\"T1219\",\"atomic_attack_guid\":\"6b8b7391-5c0a-4f8c-baee-78d8ce0ce330\",\"atomic_attack_name\":\"AnyDesk Files Detected Test on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"}]},{\"tech_id\":\"T1219\",\"atomic_attack_guid\":\"1b72b3bd-72f8-4b63-a30b-84e91b9c3578\",\"atomic_attack_name\":\"GoToAssist Files Detected Test on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"}]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory OUs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"ea1b4f2d-5b82-4006-b64f-f2845608a3bf\",\"atomic_attack_name\":\"TruffleSnout - Listing AD Infrastructure\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1485\",\"atomic_attack_guid\":\"476419b5-aebf-4366-a131-ae3e8dae5fc2\",\"atomic_attack_name\":\"Windows - Overwrite file with SysInternals SDelete\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1485\",\"atomic_attack_guid\":\"1207ddff-f25b-41b3-aa0e-7c26d2b546d1\",\"atomic_attack_name\":\"ESXi - Delete VM Snapshots\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1491.001\",\"atomic_attack_guid\":\"30905f21-34f3-4504-8b4c-f7a5e314b810\",\"atomic_attack_name\":\"ESXi - Change Welcome Message on Direct Console User Interface (DCUI)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1505.004\",\"atomic_attack_guid\":\"53adbdfa-8200-490c-871c-d3b1ab3324b2\",\"atomic_attack_name\":\"Install IIS Module using AppCmd.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"IIS Native-Code Module Command Line Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows IIS Components Add New Module\",\"rule_link\":\"https://research.splunk.com/endpoint/38fe731c-1f13-43d4-b878-a5bbe44807e3/\"}]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"e31564c8-4c60-40cd-a8f4-9261307e8336\",\"atomic_attack_name\":\"Get Windows Defender exclusion settings using WMIC\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1529\",\"atomic_attack_guid\":\"987c9b4d-a637-42db-b1cb-e9e242c3991b\",\"atomic_attack_name\":\"ESXi - Terminates VMs using pkill\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1529\",\"atomic_attack_guid\":\"189f7d6e-9442-4160-9bc3-5e4104d93ece\",\"atomic_attack_name\":\"ESXi - Avoslocker enumerates VMs and forcefully kills VMs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1529\",\"atomic_attack_guid\":\"622cc1a0-45e7-428c-aed7-c96dd605fbe6\",\"atomic_attack_name\":\"ESXi - vim-cmd Used to Power Off VMs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1531\",\"atomic_attack_guid\":\"1b99ef28-f83c-4ec5-8a08-1a56263a5bb2\",\"atomic_attack_name\":\"Change User Password - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1531\",\"atomic_attack_guid\":\"f21a1d7d-a62f-442a-8c3a-2440d43b19e5\",\"atomic_attack_name\":\"Delete User - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"fb4151a2-db33-4f8c-b7f8-78ea8790f961\",\"atomic_attack_name\":\"Remote Service Installation CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Service Creation on Remote Endpoint\",\"rule_link\":\"https://research.splunk.com/endpoint/e0eea4fa-4274-11ec-882b-3e22fbd008af/\"},{\"rule_name\":\"Windows Service Initiation on Remote Endpoint\",\"rule_link\":\"https://research.splunk.com/endpoint/3f519894-4276-11ec-ab02-3e22fbd008af/\"},{\"rule_name\":\"Windows Remote Create Service\",\"rule_link\":\"https://research.splunk.com/endpoint/0dc44d03-8c00-482d-ba7c-796ba7ab18c9/\"}]},{\"tech_id\":\"T1546.003\",\"atomic_attack_guid\":\"29786d7e-8916-4de6-9c55-be7b093b2706\",\"atomic_attack_name\":\"Windows MOFComp.exe Load MOF File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Suspicious Mofcomp Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MOF Event Triggered Execution via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/e59b5a73-32bf-4467-a585-452c36ae10c1/\"}]},{\"tech_id\":\"T1548.002\",\"atomic_attack_guid\":\"f7a35090-6f7f-4f64-bb47-d657bf5b10c1\",\"atomic_attack_name\":\"Bypass UAC by Mocking Trusted Directories\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}]},{\"tech_id\":\"T1548.002\",\"atomic_attack_guid\":\"2b61977b-ae2d-4ae4-89cb-5c36c89586be\",\"atomic_attack_name\":\"WinPwn - UAC Bypass DccwBypassUAC technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1550.002\",\"atomic_attack_guid\":\"ec23cef9-27d9-46e4-a68d-6f75f7b86908\",\"atomic_attack_name\":\"Mimikatz Pass the Hash\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Mimikatz Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/\"}]},{\"tech_id\":\"T1550.003\",\"atomic_attack_guid\":\"dbf38128-7ba7-4776-bedf-cc2eed432098\",\"atomic_attack_name\":\"Mimikatz Kerberos Ticket Attack\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Mimikatz PassTheTicket CommandLine Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/13bbd574-83ac-11ec-99d4-acde48001122/\"}]},{\"tech_id\":\"T1552.001\",\"atomic_attack_guid\":\"b0cdacf6-8949-4ffe-9274-a9643a788e55\",\"atomic_attack_name\":\"List Credential Files via Command Prompt\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1552.004\",\"atomic_attack_guid\":\"520ce462-7ca7-441e-b5a5-f8347f632696\",\"atomic_attack_name\":\"Private Keys\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Private Keys Reconnaissance Via CommandLine Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Private Keys Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/5c1c2877-06c0-40ee-a1a2-db71f1372b5b/\"}]},{\"tech_id\":\"T1552.006\",\"atomic_attack_guid\":\"870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f\",\"atomic_attack_name\":\"GPP Passwords (findstr)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Password Reconnaissance Via Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml\"},{\"rule_name\":\"Findstr GPP Passwords\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"},{\"rule_name\":\"Windows Findstr GPP Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/1631ac2d-f2a9-42fa-8a59-d6e210d472f5/\"}]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"e5e3d639-6ea8-4408-9ecd-d5a286268ca0\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1555.004\",\"atomic_attack_guid\":\"fa714db1-63dd-479e-a58e-7b2b52ca5997\",\"atomic_attack_name\":\"WinPwn - Loot local Credentials - Invoke-WCMDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1558.003\",\"atomic_attack_guid\":\"14625569-6def-4497-99ac-8e7817105b55\",\"atomic_attack_name\":\"Rubeus kerberoast\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Rubeus Command Line Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/cca37478-8377-11ec-b59a-acde48001122/\"},{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1558.003\",\"atomic_attack_guid\":\"e6f4affd-d826-4871-9a62-6c9004b8fe06\",\"atomic_attack_name\":\"Extract all accounts in use as SPN using setspn\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"ServicePrincipalNames Discovery with SetSPN\",\"rule_link\":\"https://research.splunk.com/endpoint/ae8b3efc-2d2e-11ec-8b57-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1558.003\",\"atomic_attack_guid\":\"29094950-2c96-4cbd-b5e4-f7c65079678f\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1558.004\",\"atomic_attack_guid\":\"615bd568-2859-41b5-9aed-61f6a88e48dd\",\"atomic_attack_name\":\"Rubeus asreproast\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Rubeus Command Line Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/cca37478-8377-11ec-b59a-acde48001122/\"},{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1558.004\",\"atomic_attack_guid\":\"8c385f88-4d47-4c9a-814d-93d9deec8c71\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1560.001\",\"atomic_attack_guid\":\"d1334303-59cb-4a03-8313-b3e24d02c198\",\"atomic_attack_name\":\"Compress Data and lock with password for Exfiltration with 7zip\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"871438ac-7d6e-432a-b27d-3e7db69faf58\",\"atomic_attack_name\":\"Disable Windows Defender with DISM\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Dism Remove Online Package\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows DISM Remove Defender\",\"rule_link\":\"https://research.splunk.com/endpoint/8567da9e-47f0-11ec-99a9-acde48001122/\"}]},{\"tech_id\":\"T1001.002\",\"atomic_attack_guid\":\"4ff61684-ad91-405c-9fbc-048354ff1d07\",\"atomic_attack_name\":\"Execute Embedded Script in Image via Steganography\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Linux Base64 Encoded Pipe to Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml\"},{\"rule_name\":\"Linux Shell Pipe to Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"7e91138a-8e74-456d-a007-973d67a0bb80\",\"atomic_attack_name\":\"Dump individual process memory with sh (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"fa37b633-e097-4415-b2b8-c5bf4c86e423\",\"atomic_attack_name\":\"Dump individual process memory with sh on FreeBSD (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"437b2003-a20d-4ed8-834c-4964f24eec63\",\"atomic_attack_name\":\"Dump individual process memory with Python (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.008\",\"atomic_attack_guid\":\"3723ab77-c546-403c-8fb4-bb577033b235\",\"atomic_attack_name\":\"Access /etc/shadow (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.008\",\"atomic_attack_guid\":\"60e860b6-8ae6-49db-ad07-5e73edd88f5d\",\"atomic_attack_name\":\"Access /etc/passwd (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"158bd4dd-6359-40ab-b13c-285b9ef6fa25\",\"atomic_attack_name\":\"Remote System Discovery - ip neighbour\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - Linux\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1\",\"atomic_attack_name\":\"Remote System Discovery - ip route\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - Linux\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.001\",\"atomic_attack_guid\":\"ffe2346c-abd5-4b45-a713-bf5f1ebd573a\",\"atomic_attack_name\":\"Pad Binary to Change Hash - Linux/macOS dd\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.002\",\"atomic_attack_guid\":\"11c46cd8-e471-450e-acb8-52a1216ae6a4\",\"atomic_attack_name\":\"Binary simply packed by UPX (linux)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.002\",\"atomic_attack_guid\":\"f06197f8-ff46-48c2-a0c6-afc1b50665e1\",\"atomic_attack_name\":\"Binary packed by UPX, with modified headers (linux)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1030\",\"atomic_attack_guid\":\"ab936c51-10f4-46ce-9144-e02137b2016a\",\"atomic_attack_name\":\"Data Transfer Size Limits\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"a315bfff-7a98-403b-b442-2ea1b255e556\",\"atomic_attack_name\":\"Masquerading as FreeBSD or Linux crond process.\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"f0e3aaea-5cd9-4db6-a077-631dd19b27a8\",\"atomic_attack_name\":\"linux rename /proc/pid/comm using prctl\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"ad4b73c2-d6e2-4d8b-9868-4c6f55906e01\",\"atomic_attack_name\":\"Hiding a malicious process with bind mounts\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"7fe741f7-b265-4951-a7c7-320889083b3e\",\"atomic_attack_name\":\"Packet Capture Linux using tshark or tcpdump\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"c93f2492-9ebe-44b5-8b45-36574cccfe67\",\"atomic_attack_name\":\"Packet Capture FreeBSD using tshark or tcpdump\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"a27418de-bdce-4ebd-b655-38f04842bf0c\",\"atomic_attack_name\":\"Capture Passwords with MimiPenguin\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1005\",\"atomic_attack_guid\":\"00cbb875-7ae4-4cf1-b638-e543fd825300\",\"atomic_attack_name\":\"Find and dump sqlite databases (Linux)\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1014\",\"atomic_attack_guid\":\"dfb50072-e45a-4c75-a17e-a484809c8553\",\"atomic_attack_name\":\"Loadable Kernel Module based Rootkit\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"},{\"rule_name\":\"Linux Insert Kernel Module Using Insmod Utility\",\"rule_link\":\"https://research.splunk.com/endpoint/18b5a1a0-6326-11ec-943a-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1014\",\"atomic_attack_guid\":\"75483ef8-f10f-444a-bf02-62eb0e48db6f\",\"atomic_attack_name\":\"Loadable Kernel Module based Rootkit\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"f45df6be-2e1e-4136-a384-8f18ab3826fb\",\"atomic_attack_name\":\"Decode base64 Data into Script\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}]},{\"tech_id\":\"T1036.005\",\"atomic_attack_guid\":\"812c3ab8-94b0-4698-a9bf-9420af23ce24\",\"atomic_attack_name\":\"Execute a process from a directory masquerading as the current parent directory.\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1036.006\",\"atomic_attack_guid\":\"b95ce2eb-a093-4cd8-938d-5258cef656ea\",\"atomic_attack_name\":\"Space After Filename\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1037.004\",\"atomic_attack_guid\":\"c33f3d80-5f04-419b-a13a-854d1cbdbf3a\",\"atomic_attack_name\":\"rc.common\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1037.004\",\"atomic_attack_guid\":\"126f71af-e1c9-405c-94ef-26a47b16c102\",\"atomic_attack_name\":\"rc.local\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"e2028771-1bfb-48f5-b5e6-e50ee0942a14\",\"atomic_attack_name\":\"Packet Capture FreeBSD using /dev/bpfN with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"a3a0d4c9-c068-4563-a08d-583bd05b884c\",\"atomic_attack_name\":\"Filtered Packet Capture FreeBSD using /dev/bpfN with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"10c710c9-9104-4d5f-8829-5b65391e2a29\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"7a0895f0-84c1-4adf-8491-a21510b1d4c1\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"515575ab-d213-42b1-aa64-ef6a2dd4641b\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"b1cbdf8b-6078-48f5-a890-11ea19d7f8e9\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1033\",\"test_number\":3,\"atomic_attack_guid\":\"29857f27-a36f-4f7e-8084-4557cd6207ca\",\"atomic_attack_name\":\"Find computers where user has session - Stealth mode (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1033\",\"test_number\":4,\"atomic_attack_guid\":\"dcb6cdee-1fb0-4087-8bf8-88cfd136ba51\",\"atomic_attack_name\":\"User Discovery With Env Vars PowerShell Script\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Get Current User\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml\"},{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1033\",\"test_number\":6,\"atomic_attack_guid\":\"3d257a03-eb80-41c5-b744-bb37ac7f65c7\",\"atomic_attack_name\":\"System Discovery - SocGholish whoami\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"},{\"rule_name\":\"Enumerate All Information With Whoami.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1033\",\"test_number\":7,\"atomic_attack_guid\":\"ba38e193-37a6-4c41-b214-61b33277fe36\",\"atomic_attack_name\":\"System Owner/User Discovery Using Command Prompt\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1003\",\"test_number\":2,\"atomic_attack_guid\":\"9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6\",\"atomic_attack_name\":\"Credential Dumping with NPPSpy\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Credential Dumping Attempt Using New NetworkProvider - CLI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":3,\"atomic_attack_guid\":\"7ae7102c-a099-45c8-b985-4c7a2d05790d\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using direct system calls and API unhooking\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":5,\"atomic_attack_guid\":\"dea6c349-f1c6-44f3-87a1-1ed33a59a607\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using Windows Task Manager\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":7,\"atomic_attack_guid\":\"c37bc535-5c62-4195-9cc3-0517673171d8\",\"atomic_attack_name\":\"LSASS read with pypykatz\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":8,\"atomic_attack_guid\":\"6502c8f0-b775-4dbd-9193-1298f56b6781\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using Out-Minidump.ps1\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":11,\"atomic_attack_guid\":\"9d0072c8-7cca-45c4-bd14-f852cfa35cf0\",\"atomic_attack_name\":\"Dump LSASS with createdump.exe from .Net v5\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Renamed CreateDump Utility Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":13,\"atomic_attack_guid\":\"47a539d1-61b9-4364-bf49-a68bc2a95ef0\",\"atomic_attack_name\":\"Dump LSASS.exe using lolbin rdrleakdiag.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Process Memory Dump via RdrLeakDiag.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Create Remote Thread into LSASS\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/create_remote_thread_into_lsass.yml\"}]},{\"tech_id\":\"T1003.002\",\"test_number\":6,\"atomic_attack_guid\":\"9d77fed7-05f8-476e-a81b-8ff0472c64d0\",\"atomic_attack_name\":\"dump volume shadow copy hives with System.IO.File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"PowerShell SAM Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Copy of ShadowCopy with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml\"}]},{\"tech_id\":\"T1003.002\",\"test_number\":7,\"atomic_attack_guid\":\"0c0f5f06-166a-4f4d-bb4a-719df9a01dbb\",\"atomic_attack_name\":\"WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Detect Copy of ShadowCopy with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml\"}]},{\"tech_id\":\"T1003.002\",\"test_number\":8,\"atomic_attack_guid\":\"21df41be-cdd8-4695-a650-c3981113aa3c\",\"atomic_attack_name\":\"Dumping of SAM, creds, and secrets(Reg Export)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Dumping of Sensitive Hives Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1005\",\"test_number\":1,\"atomic_attack_guid\":\"d3d9af44-b8ad-4375-8b0a-4bff4b7e419c\",\"atomic_attack_name\":\"Search files of interest and save them to a single zip file (Windows)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1006\",\"test_number\":1,\"atomic_attack_guid\":\"88f6327e-51ec-4bbf-b2e8-3fea534eab8b\",\"atomic_attack_name\":\"Read volume boot sector via DOS device path (PowerShell)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Defense Evasion Via Raw Disk Access By Uncommon Tools\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1012\",\"test_number\":1,\"atomic_attack_guid\":\"8f7578c4-9863-4d83-875c-a565573bbdf0\",\"atomic_attack_name\":\"Query Registry\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Configuration And Service Reconnaissance Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"test_number\":2,\"atomic_attack_guid\":\"038263cb-00f4-4b0a-98ae-0696c67e1752\",\"atomic_attack_name\":\"List Windows Firewall Rules\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Firewall Configuration Discovery Via Netsh.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"test_number\":7,\"atomic_attack_guid\":\"121de5c6-5818-4868-b8a7-8fd07c455c1b\",\"atomic_attack_name\":\"Qakbot Recon\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Network Command\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":5,\"atomic_attack_guid\":\"2d5a61f5-0447-4be4-944a-1f8530ed6574\",\"atomic_attack_name\":\"Remote System Discovery - arp\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":8,\"atomic_attack_guid\":\"baa01aaa-5e13-45ec-8a0d-e46c93c9760f\",\"atomic_attack_name\":\"Remote System Discovery - nslookup\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Suspicious Scan Loop Network\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":9,\"atomic_attack_guid\":\"95e19466-469e-4316-86d2-1dc401b5a959\",\"atomic_attack_name\":\"Remote System Discovery - adidnsdump\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":11,\"atomic_attack_guid\":\"5838c31e-a0e2-4b9f-b60a-d79d2cb7995e\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Domain Controller Objects\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":16,\"atomic_attack_guid\":\"962a6017-1c09-45a6-880b-adc9c57cb22e\",\"atomic_attack_name\":\"Enumerate domain computers within Active Directory using DirectorySearcher\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"DirectorySearcher Powershell Exploitation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"},{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":19,\"atomic_attack_guid\":\"b9d2e8ca-5520-4737-8076-4f08913da2c4\",\"atomic_attack_name\":\"Get-DomainController with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainComputer with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml\"},{\"rule_name\":\"Windows PowerView Unconstrained Delegation Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml\"},{\"rule_name\":\"GetDomainController with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1020\",\"test_number\":1,\"atomic_attack_guid\":\"9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0\",\"atomic_attack_name\":\"IcedID Botnet HTTP PUT\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Script With File Upload Capabilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1020\",\"test_number\":2,\"atomic_attack_guid\":\"5b380e96-b0ef-4072-8a8e-f194cb9eb9ac\",\"atomic_attack_name\":\"Exfiltration via Encrypted FTP\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Script With File Upload Capabilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"test_number\":1,\"atomic_attack_guid\":\"355d4632-8cb9-449d-91ce-b566d0253d3e\",\"atomic_attack_name\":\"RDP to DomainController\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"},{\"rule_name\":\"New Remote Desktop Connection Initiated Via Mstsc.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"test_number\":2,\"atomic_attack_guid\":\"2f840dd4-8a2e-4f44-beb3-6b2399ea3771\",\"atomic_attack_name\":\"Changing RDP Port to Non Standard Port via Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Allow Inbound Traffic In Firewall Rule\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml\"}]},{\"tech_id\":\"T1021.002\",\"test_number\":2,\"atomic_attack_guid\":\"514e9cd7-9207-4882-98b1-c8f791bae3c5\",\"atomic_attack_name\":\"Map Admin Share PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious New-PSDrive to Admin Share\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.006\",\"test_number\":1,\"atomic_attack_guid\":\"9059e8de-3d7d-4954-a322-46161880b9cf\",\"atomic_attack_name\":\"Enable Windows Remote Management\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Enable Windows Remote Management\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.006\",\"test_number\":2,\"atomic_attack_guid\":\"5295bd61-bd7e-4744-9d52-85962a4cf2d6\",\"atomic_attack_name\":\"Remote Code Execution with PS Credentials Using Invoke-Command\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Execute Invoke-command on Remote Host\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml\"},{\"rule_name\":\"Enable Windows Remote Management\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote Process Instantiation via WinRM and PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml\"}]},{\"tech_id\":\"T1027\",\"test_number\":3,\"atomic_attack_guid\":\"450e7218-7915-4be4-8b9b-464a49eafcec\",\"atomic_attack_name\":\"Execute base64-encoded PowerShell from Windows Registry\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Base64 Encoded PowerShell Command Detected\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Powershell Fileless Script Contains Base64 Encoded Content\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\"}]},{\"tech_id\":\"T1027\",\"test_number\":7,\"atomic_attack_guid\":\"8b3f4ed6-077b-4bdd-891c-2d237f19410f\",\"atomic_attack_name\":\"Obfuscated Command in PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential PowerShell Command Line Obfuscation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.004\",\"test_number\":1,\"atomic_attack_guid\":\"ffcdbd6a-b0e8-487d-927a-09127fe9a206\",\"atomic_attack_name\":\"Compile After Delivery using csc.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Csc.EXE Execution Form Potentially Suspicious Parent\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"test_number\":6,\"atomic_attack_guid\":\"bc15c13f-d121-4b1f-8c7d-28d95854d086\",\"atomic_attack_name\":\"Masquerading - non-windows exe running as windows exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Start-Process PassThru\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"test_number\":7,\"atomic_attack_guid\":\"c3d24a39-2bfe-4c6a-b064-90cd73896cb0\",\"atomic_attack_name\":\"Masquerading - windows exe running as different windows exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Defense Evasion Via Binary Rename\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.005\",\"test_number\":2,\"atomic_attack_guid\":\"35eb8d16-9820-4423-a2a1-90c4f5edd9ca\",\"atomic_attack_name\":\"Masquerade as a built-in system executable\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Files With System Process Name In Unsuspected Locations\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"test_number\":16,\"atomic_attack_guid\":\"9c15a7de-de14-46c3-bc2a-6d94130986ae\",\"atomic_attack_name\":\"PowerShell Network Sniffing\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":5,\"atomic_attack_guid\":\"54574908-f1de-4356-9021-8053dd57439a\",\"atomic_attack_name\":\"WinPwn - spoolvulnscan\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":6,\"atomic_attack_guid\":\"97585b04-5be2-40e9-8c31-82157b8af2d6\",\"atomic_attack_name\":\"WinPwn - MS17-10\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":7,\"atomic_attack_guid\":\"1cca5640-32a9-46e6-b8e0-fabbe2384a73\",\"atomic_attack_name\":\"WinPwn - bluekeep\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":8,\"atomic_attack_guid\":\"bb037826-cbe8-4a41-93ea-b94059d6bb98\",\"atomic_attack_name\":\"WinPwn - fruit\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1048\",\"test_number\":3,\"atomic_attack_guid\":\"c943d285-ada3-45ca-b3aa-7cd6500c6a48\",\"atomic_attack_name\":\"DNSExfiltration (doh)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell DNSExfiltration\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1048.003\",\"test_number\":2,\"atomic_attack_guid\":\"dd4b4421-2e25-4593-90ae-7021947ad12e\",\"atomic_attack_name\":\"Exfiltration Over Alternative Protocol - ICMP\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell ICMP Exfiltration\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1049\",\"test_number\":1,\"atomic_attack_guid\":\"0940a971-809a-48f1-9c4d-b1d785e96ee5\",\"atomic_attack_name\":\"System Network Connections Discovery\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"System Network Connections Discovery Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1049\",\"test_number\":3,\"atomic_attack_guid\":\"b52c8233-8f71-4bd7-9928-49fec8215cf5\",\"atomic_attack_name\":\"System Network Connections Discovery via PowerShell (Process Mapping)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Use Get-NetTCPConnection - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1049\",\"test_number\":7,\"atomic_attack_guid\":\"96f974bb-a0da-4d87-a744-ff33e73367e9\",\"atomic_attack_name\":\"System Discovery using SharpView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":4,\"atomic_attack_guid\":\"af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd\",\"atomic_attack_name\":\"Powershell Cmdlet Scheduled Task\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":5,\"atomic_attack_guid\":\"ecd3fa21-7792-41a2-8726-2c5c673414d3\",\"atomic_attack_name\":\"Task Scheduler via VBA\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":6,\"atomic_attack_guid\":\"e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b\",\"atomic_attack_name\":\"WMI Invoke-CimMethod Scheduled Task\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":8,\"atomic_attack_guid\":\"cd925593-fbb4-486d-8def-16cbdf944bf4\",\"atomic_attack_name\":\"Import XML Schedule Task with Hidden Attribute\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":9,\"atomic_attack_guid\":\"dda6fc7b-c9a6-4c18-b98d-95ec6542af6d\",\"atomic_attack_name\":\"PowerShell Modify A Scheduled Task\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":11,\"atomic_attack_guid\":\"8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2\",\"atomic_attack_name\":\"Scheduled Task Persistence via CompMgmt.msc\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":12,\"atomic_attack_guid\":\"02124c37-767e-4b76-9383-c9fc366d9d4c\",\"atomic_attack_name\":\"Scheduled Task Persistence via Eventviewer.msc\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1055.001\",\"test_number\":1,\"atomic_attack_guid\":\"74496461-11a1-4982-b439-4d87a550d254\",\"atomic_attack_name\":\"Process Injection via mavinject.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Mavinject.EXE Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml\"},{\"rule_name\":\"Mavinject Inject DLL Into Running Process\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1055.002\",\"test_number\":1,\"atomic_attack_guid\":\"578025d5-faa9-4f6d-8390-aae739d503e1\",\"atomic_attack_name\":\"Portable Executable Injection\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows Process Injection Remote Thread\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_process_injection_remote_thread.yml\"}]},{\"tech_id\":\"T1057\",\"test_number\":3,\"atomic_attack_guid\":\"3b3809b6-a54b-4f5b-8aff-cb51f2e97b34\",\"atomic_attack_name\":\"Process Discovery - Get-Process\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Discovery With Get-Process\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.001\",\"test_number\":2,\"atomic_attack_guid\":\"a21bb23e-e677-4ee7-af90-6931b57b6350\",\"atomic_attack_name\":\"Run BloodHound from local disk\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - Bloodhound/Sharphound Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":3,\"atomic_attack_guid\":\"bf8c1441-4674-4dab-8e4e-39d93d08f9b7\",\"atomic_attack_name\":\"Run Bloodhound from Memory using Download Cradle\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Invocations - Specific\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"HackTool - Bloodhound/Sharphound Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Fileless Script Contains Base64 Encoded Content\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Windows PowerShell Script Block With Malicious String\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":7,\"atomic_attack_guid\":\"4396927f-e503-427b-b023-31049b9b09a6\",\"atomic_attack_name\":\"Powershell XML requests\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":9,\"atomic_attack_guid\":\"cc50fa2a-a4be-42af-a88f-e347ba0bf4d7\",\"atomic_attack_name\":\"Powershell Invoke-DownloadCradle\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":10,\"atomic_attack_guid\":\"fa050f5e-bc75-4230-af73-b6fd7852cd73\",\"atomic_attack_name\":\"PowerShell Fileless Script Execution\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"},{\"rule_name\":\"Base64 Encoded PowerShell Command Detected\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":11,\"atomic_attack_guid\":\"8e5c5532-1181-4c1d-bb79-b3a9f5dbd680\",\"atomic_attack_name\":\"NTFS Alternate Data Stream Access\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"NTFS Alternate Data Stream\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":12,\"atomic_attack_guid\":\"7c1acec2-78fa-4305-a3e0-db2a54cddecd\",\"atomic_attack_name\":\"PowerShell Session Creation and Use\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Remote Session Creation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":19,\"atomic_attack_guid\":\"1289f78d-22d2-4590-ac76-166737e1811b\",\"atomic_attack_name\":\"PowerUp Invoke-AllChecks\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Malicious PowerShell Scripts - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.001\",\"test_number\":20,\"atomic_attack_guid\":\"999bff6d-dc15-44c9-9f5c-e1051bfc86e1\",\"atomic_attack_name\":\"Abuse Nslookup with DNS Records\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"},{\"rule_name\":\"Windows Shell/Scripting Processes Spawning Suspicious Programs\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.003\",\"test_number\":1,\"atomic_attack_guid\":\"9e8894c0-50bd-4525-a96c-d4ac78ece388\",\"atomic_attack_name\":\"Create and Execute Batch Script\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Execute Batch Script\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.001\",\"test_number\":3,\"atomic_attack_guid\":\"a580462d-2c19-4bc7-8b9a-57a41b7d3ba4\",\"atomic_attack_name\":\"Permission Groups Discovery PowerShell (Local)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Get Local Groups Information - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Powershell Get LocalGroup Discovery with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":1,\"atomic_attack_guid\":\"dd66d77d-8998-48c0-8024-df263dc2ce5d\",\"atomic_attack_name\":\"Basic Permission Groups Discovery Windows (Domain)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"test_number\":3,\"atomic_attack_guid\":\"0afb5163-8181-432e-9405-4322710c0c37\",\"atomic_attack_name\":\"Elevated group enumeration using net group (Domain)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"test_number\":4,\"atomic_attack_guid\":\"a2d71eee-a353-4232-9f86-54f4288dd8c1\",\"atomic_attack_name\":\"Find machines where user has local admin access (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":5,\"atomic_attack_guid\":\"a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd\",\"atomic_attack_name\":\"Find local admins on all machines in domain (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":6,\"atomic_attack_guid\":\"64fdb43b-5259-467a-b000-1b02c00e510a\",\"atomic_attack_name\":\"Find Local Admins via Group Policy (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":7,\"atomic_attack_guid\":\"870ba71e-6858-4f6d-895c-bb6237f6121b\",\"atomic_attack_name\":\"Enumerate Users Not Requiring Pre Auth (ASRepRoast)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"test_number\":12,\"atomic_attack_guid\":\"46352f40-f283-4fe5-b56d-d9a71750e145\",\"atomic_attack_name\":\"Get-DomainGroupMember with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":13,\"atomic_attack_guid\":\"5a8a181c-2c8e-478d-a943-549305a01230\",\"atomic_attack_name\":\"Get-DomainGroup with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":14,\"atomic_attack_guid\":\"22cf8cb9-adb1-4e8c-80ca-7c723dfc8784\",\"atomic_attack_name\":\"Active Directory Enumeration with LDIFDE\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070\",\"test_number\":2,\"atomic_attack_guid\":\"96e86706-6afd-45b6-95d6-108d23eaf2e9\",\"atomic_attack_name\":\"Indicator Manipulation using FSUtil\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Suspicious Invocation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.001\",\"test_number\":2,\"atomic_attack_guid\":\"b13e9306-3351-4b4b-a6e8-477358b0b498\",\"atomic_attack_name\":\"Delete System Logs Using Clear-EventLog\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Eventlog Clearing or Configuration Change Activity\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":11,\"atomic_attack_guid\":\"2f898b81-3e97-4abb-bc3f-a95138988370\",\"atomic_attack_name\":\"Prevent Powershell History Logging\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":12,\"atomic_attack_guid\":\"da75ae8d-26d6-4483-b0fe-700e4df4f037\",\"atomic_attack_name\":\"Clear Powershell History by Deleting History File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clearing Windows Console History\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":13,\"atomic_attack_guid\":\"1d0d9aa6-6111-4f89-927b-53e8afae7f94\",\"atomic_attack_name\":\"Set Custom AddToHistoryHandler to Avoid History File Logging\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":14,\"atomic_attack_guid\":\"22c779cd-9445-4d3e-a136-f75adbf0315f\",\"atomic_attack_name\":\"Clear PowerShell Session History\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clearing Windows Console History\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"test_number\":6,\"atomic_attack_guid\":\"9dee89bd-9a98-4c4f-9e2d-4256690b0e72\",\"atomic_attack_name\":\"Delete a single file - Windows PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"test_number\":7,\"atomic_attack_guid\":\"edd779e4-a509-4cba-8dfa-a112543dbfb1\",\"atomic_attack_name\":\"Delete an entire folder - Windows PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"test_number\":10,\"atomic_attack_guid\":\"69f50a5f-967c-4327-a5bb-e1a9a9983785\",\"atomic_attack_name\":\"Delete TeamViewer Log Files\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"test_number\":3,\"atomic_attack_guid\":\"0512d214-9512-4d22-bde7-f37e058259b3\",\"atomic_attack_name\":\"Remove Network Share PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Deleted Mounted Share\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"test_number\":5,\"atomic_attack_guid\":\"4299eff5-90f1-4446-b2f3-7f4f5cfd5d62\",\"atomic_attack_name\":\"Remove Administrative Shares\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Unmount Share Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.006\",\"test_number\":5,\"atomic_attack_guid\":\"b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c\",\"atomic_attack_name\":\"Windows - Modify file creation timestamp with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Timestomp\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.006\",\"test_number\":6,\"atomic_attack_guid\":\"f8f6634d-93e1-4238-8510-f8a90a20dcf2\",\"atomic_attack_name\":\"Windows - Modify file last modified timestamp with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Timestomp\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.006\",\"test_number\":7,\"atomic_attack_guid\":\"da627f63-b9bd-4431-b6f8-c5b44d061a62\",\"atomic_attack_name\":\"Windows - Modify file last access timestamp with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Timestomp\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1071.001\",\"test_number\":1,\"atomic_attack_guid\":\"81c13829-f6c9-45b8-85a6-053366d55297\",\"atomic_attack_name\":\"Malicious User Agents - Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Change User Agents with WebRequest\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":14,\"atomic_attack_guid\":\"eea1d918-825e-47dd-acc2-814d6c58c0e1\",\"atomic_attack_name\":\"WinPwn - winPEAS\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":15,\"atomic_attack_guid\":\"3d256a2f-5e57-4003-8eb6-64d91b1da7ce\",\"atomic_attack_name\":\"WinPwn - itm4nprivesc\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":16,\"atomic_attack_guid\":\"345cb8e4-d2de-4011-a580-619cf5a9e2d7\",\"atomic_attack_name\":\"WinPwn - Powersploits privesc checks\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":17,\"atomic_attack_guid\":\"5b6f39a2-6ec7-4783-a5fd-2c54a55409ed\",\"atomic_attack_name\":\"WinPwn - General privesc checks\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":18,\"atomic_attack_guid\":\"7804659b-fdbf-4cf6-b06a-c03e758590e8\",\"atomic_attack_name\":\"WinPwn - GeneralRecon\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"},{\"rule_name\":\"Suspicious Execution of Systeminfo\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":19,\"atomic_attack_guid\":\"3278b2f6-f733-4875-9ef4-bfed34244f0a\",\"atomic_attack_name\":\"WinPwn - Morerecon\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":20,\"atomic_attack_guid\":\"dec6a0d8-bcaf-4c22-9d48-2aee59fb692b\",\"atomic_attack_name\":\"WinPwn - RBCD-Check\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":27,\"atomic_attack_guid\":\"8851b73a-3624-4bf7-8704-aa312411565c\",\"atomic_attack_name\":\"System Information Discovery with WMIC\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Uncommon System Information Discovery Via Wmic.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":2,\"atomic_attack_guid\":\"2158908e-b7ef-4c21-8a83-3ce4dd05a924\",\"atomic_attack_name\":\"File and Directory Discovery (PowerShell)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":5,\"atomic_attack_guid\":\"c6c34f61-1c3e-40fb-8a58-d017d88286d8\",\"atomic_attack_name\":\"Simulating MAZE Directory Enumeration\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Powershell Directory Enumeration\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":6,\"atomic_attack_guid\":\"c5bec457-43c9-4a18-9a24-fe151d8971b7\",\"atomic_attack_name\":\"Launch DirLister Executable\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":9,\"atomic_attack_guid\":\"95a21323-770d-434c-80cd-6f6fbf7af432\",\"atomic_attack_name\":\"Recursive Enumerate Files And Directories By Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.001\",\"test_number\":8,\"atomic_attack_guid\":\"80887bec-5a9b-4efc-a81d-f83eb2eb32ab\",\"atomic_attack_name\":\"Enumerate all accounts on Windows (Local)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.001\",\"test_number\":9,\"atomic_attack_guid\":\"ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b\",\"atomic_attack_name\":\"Enumerate all accounts via PowerShell (Local)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetLocalUser with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getlocaluser_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1087.002\",\"test_number\":2,\"atomic_attack_guid\":\"8b8a6449-be98-4f42-afd2-dedddc7453b2\",\"atomic_attack_name\":\"Enumerate all accounts via PowerShell (Domain)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":10,\"atomic_attack_guid\":\"46f8dbe9-22a5-4770-8513-66119c5be63b\",\"atomic_attack_name\":\"Enumerate Active Directory for Unconstrained Delegation\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":11,\"atomic_attack_guid\":\"93662494-5ed7-4454-a04c-8c8372808ac2\",\"atomic_attack_name\":\"Get-DomainUser with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Forest Discovery with GetForestDomain\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml\"},{\"rule_name\":\"Get DomainUser with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domainuser_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1087.002\",\"test_number\":14,\"atomic_attack_guid\":\"00c652e2-0750-4ca6-82ff-0204684a6fe4\",\"atomic_attack_name\":\"Enumerate Root Domain linked policies Discovery\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Root Domain linked policies Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_root_domain_linked_policies_discovery.yml\"}]},{\"tech_id\":\"T1087.002\",\"test_number\":15,\"atomic_attack_guid\":\"ce483c35-c74b-45a7-a670-631d1e69db3d\",\"atomic_attack_name\":\"WinPwn - generaldomaininfo\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":16,\"atomic_attack_guid\":\"f450461c-18d1-4452-9f0d-2c42c3f08624\",\"atomic_attack_name\":\"Kerbrute - userenum\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":17,\"atomic_attack_guid\":\"b8a563d4-a836-4993-a74e-0a19b8481bfe\",\"atomic_attack_name\":\"Wevtutil - Discover NTLM Users Remote\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":21,\"atomic_attack_guid\":\"abf00f6c-9983-4d9a-afbc-6b1c6c6448e1\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with adfind all properties\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":22,\"atomic_attack_guid\":\"51a98f96-0269-4e09-a10f-e307779a8b05\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":1,\"atomic_attack_guid\":\"5598f7cb-cf43-455e-883a-f6008c5d46af\",\"atomic_attack_name\":\"Admin Account Manipulate\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"},{\"rule_name\":\"Powershell LocalAccount Manipulation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":2,\"atomic_attack_guid\":\"a55a22e9-a3d3-42ce-bd48-2653adb8f7a9\",\"atomic_attack_name\":\"Domain Account and Group Manipulate\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":9,\"atomic_attack_guid\":\"d5b886d9-d1c7-4b6e-a7b0-460041bf2823\",\"atomic_attack_name\":\"Password Change on Directory Service Restore Mode (DSRM) Account\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":10,\"atomic_attack_guid\":\"fc5f9414-bd67-4f5f-a08e-e5381e29cbd1\",\"atomic_attack_name\":\"Domain Password Policy Check: Short Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":11,\"atomic_attack_guid\":\"68190529-069b-4ffc-a942-919704158065\",\"atomic_attack_name\":\"Domain Password Policy Check: No Number in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":12,\"atomic_attack_guid\":\"7d984ef2-2db2-4cec-b090-e637e1698f61\",\"atomic_attack_name\":\"Domain Password Policy Check: No Special Character in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":13,\"atomic_attack_guid\":\"b299c120-44a7-4d68-b8e2-8ba5a28511ec\",\"atomic_attack_name\":\"Domain Password Policy Check: No Uppercase Character in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":14,\"atomic_attack_guid\":\"945da11e-977e-4dab-85d2-f394d03c5887\",\"atomic_attack_name\":\"Domain Password Policy Check: No Lowercase Character in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":15,\"atomic_attack_guid\":\"784d1349-5a26-4d20-af5e-d6af53bae460\",\"atomic_attack_name\":\"Domain Password Policy Check: Only Two Character Classes\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":16,\"atomic_attack_guid\":\"81959d03-c51f-49a1-bb24-23f1ec885578\",\"atomic_attack_name\":\"Domain Password Policy Check: Common Password Use\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":8,\"atomic_attack_guid\":\"ffd492e3-0455-4518-9fb1-46527c9f241b\",\"atomic_attack_name\":\"certutil download (verifyctl)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"Suspicious Download Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml\"},{\"rule_name\":\"Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":18,\"atomic_attack_guid\":\"2b080b99-0deb-4d51-af0f-833d37c4ca6a\",\"atomic_attack_name\":\"Curl Download File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":19,\"atomic_attack_guid\":\"635c9a38-6cbf-47dc-8615-3810bc1167cf\",\"atomic_attack_name\":\"Curl Upload File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":20,\"atomic_attack_guid\":\"d239772b-88e2-4a2e-8473-897503401bcc\",\"atomic_attack_name\":\"Download a file with Microsoft Connection Manager Auto-Download\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":21,\"atomic_attack_guid\":\"70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf\",\"atomic_attack_name\":\"MAZE Propagation Script\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":32,\"atomic_attack_guid\":\"6934c16e-0b3a-4e7f-ab8c-c414acd32181\",\"atomic_attack_name\":\"File Download with Sqlcmd.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":33,\"atomic_attack_guid\":\"c82b1e60-c549-406f-9b00-0a8ae31c9cfe\",\"atomic_attack_name\":\"Remote File Copy using PSCP\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":34,\"atomic_attack_guid\":\"2a4b0d29-e5dd-4b66-b729-07423ba1cd9d\",\"atomic_attack_name\":\"Windows push file using scp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":35,\"atomic_attack_guid\":\"401667dc-05a6-4da0-a2a7-acfe4819559c\",\"atomic_attack_name\":\"Windows pull file using scp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":36,\"atomic_attack_guid\":\"205e676e-0401-4bae-83a5-94b8c5daeb22\",\"atomic_attack_name\":\"Windows push file using sftp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":37,\"atomic_attack_guid\":\"3d25f1f2-55cb-4a41-a523-d17ad4cfba19\",\"atomic_attack_name\":\"Windows pull file using sftp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":38,\"atomic_attack_guid\":\"3dd6a6cf-9c78-462c-bd75-e9b54fc8925b\",\"atomic_attack_name\":\"Download a file with OneDrive Standalone Updater\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1110.001\",\"test_number\":2,\"atomic_attack_guid\":\"c2969434-672b-4ec8-8df0-bbb91f40e250\",\"atomic_attack_name\":\"Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Connection to Remote Account\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":45,\"atomic_attack_guid\":\"fe7974e5-5813-477b-a7bd-311d4f535e83\",\"atomic_attack_name\":\"Enabling Restricted Admin Mode via Command_Prompt\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"RestrictedAdminMode Registry Value Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml\"},{\"rule_name\":\"RestrictedAdminMode Registry Value Tampering - ProcCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":67,\"atomic_attack_guid\":\"eb0ba433-63e5-4a8c-a9f0-27c4192e1336\",\"atomic_attack_name\":\"Enable Proxy Settings\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modification of IE Registry Settings\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":68,\"atomic_attack_guid\":\"d88a3d3b-d016-4939-a745-03638aafd21b\",\"atomic_attack_name\":\"Set-Up Proxy Server\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modification of IE Registry Settings\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":86,\"atomic_attack_guid\":\"c691cee2-8d17-4395-b22f-00644c7f1c2d\",\"atomic_attack_name\":\"Modify RDP-Tcp Initial Program Registry Entry\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"RDP Sensitive Settings Changed\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml\"},{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1113\",\"test_number\":8,\"atomic_attack_guid\":\"e9313014-985a-48ef-80d9-cde604ffc187\",\"atomic_attack_name\":\"Windows Screen Capture (CopyFromScreen)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Screen Capture with CopyFromScreen\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Screen Capture Via Powershell\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_screen_capture_via_powershell.yml\"}]},{\"tech_id\":\"T1115\",\"test_number\":2,\"atomic_attack_guid\":\"d6dc21af-bec9-4152-be86-326b6babd416\",\"atomic_attack_name\":\"Execute Commands from Clipboard using PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get Clipboard\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml\"},{\"rule_name\":\"PowerShell Get-Clipboard Cmdlet Via CLI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml\"},{\"rule_name\":\"Data Copied To Clipboard Via Clip.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows ClipBoard Data via Get-ClipBoard\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml\"}]},{\"tech_id\":\"T1115\",\"test_number\":4,\"atomic_attack_guid\":\"9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52\",\"atomic_attack_name\":\"Collect Clipboard Data via VBA\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get Clipboard\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"test_number\":2,\"atomic_attack_guid\":\"634bd9b9-dc83-4229-b19f-7f83ba9ad313\",\"atomic_attack_name\":\"Automated Collection PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Automated Collection Command PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"test_number\":3,\"atomic_attack_guid\":\"c3f6d794-50dd-482f-b640-0384fbb7db26\",\"atomic_attack_name\":\"Recon information for export with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Recon Information for Export with PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1120\",\"test_number\":1,\"atomic_attack_guid\":\"2cb4dbf2-2dca-4597-8678-4d39d207a3a5\",\"atomic_attack_name\":\"Win32_PnPEntity Hardware Inventory\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Suspicious Win32_PnPEntity\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1123\",\"test_number\":2,\"atomic_attack_guid\":\"7a21cce2-6ada-4f7c-afd9-e1e9c481e44a\",\"atomic_attack_name\":\"Registry artefact when application use microphone\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Camera and Microphone Access\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1125\",\"test_number\":1,\"atomic_attack_guid\":\"6581e4a7-42e3-43c5-a0d2-5a0d62f9702a\",\"atomic_attack_name\":\"Registry artefact when application use webcam\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Camera and Microphone Access\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1134.004\",\"test_number\":1,\"atomic_attack_guid\":\"069258f4-2162-46e9-9a25-c9c6c56150d2\",\"atomic_attack_name\":\"Parent PID Spoofing using PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - PPID Spoofing SelectMyParent Tool Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"test_number\":7,\"atomic_attack_guid\":\"b1636f0a-ba82-435c-b699-0d78794d8bfd\",\"atomic_attack_name\":\"Share Discovery with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1136.001\",\"test_number\":5,\"atomic_attack_guid\":\"bc8be0ac-475c-4fbf-9b1d-9fffd77afbde\",\"atomic_attack_name\":\"Create a new user in PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"},{\"rule_name\":\"PowerShell Create Local User\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1136.002\",\"test_number\":3,\"atomic_attack_guid\":\"5a3497a4-1568-4663-b12a-d4a5ed70c7d7\",\"atomic_attack_name\":\"Create a new Domain Account using PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Manipulation of User Computer or Group Security Principals Across AD\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1137.006\",\"test_number\":1,\"atomic_attack_guid\":\"441b1a0f-a771-428a-8af0-e99e4698cda3\",\"atomic_attack_name\":\"Code Executed Via Excel Add-in File (XLL)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Code Executed Via Office Add-in XLL File\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1197\",\"test_number\":3,\"atomic_attack_guid\":\"62a06ec5-5754-47d2-bcfc-123d8314c6ae\",\"atomic_attack_name\":\"Persist, Download, & Execute\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Monitoring For Persistence Via BITS\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml\"},{\"rule_name\":\"File Download Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml\"},{\"rule_name\":\"File With Suspicious Extension Downloaded Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml\"},{\"rule_name\":\"Suspicious Download From File-Sharing Website Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To A Suspicious Target Folder\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1201\",\"test_number\":9,\"atomic_attack_guid\":\"3177f4da-3d4b-4592-8bdc-aa23d0b2e843\",\"atomic_attack_name\":\"Get-DomainPolicy with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Get DomainPolicy with Powershell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1217\",\"test_number\":5,\"atomic_attack_guid\":\"faab755e-4299-48ec-8202-fc7885eb6545\",\"atomic_attack_name\":\"List Google Chrome / Opera Bookmarks on Windows with powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Automated Collection Bookmarks Using Get-ChildItem PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"test_number\":4,\"atomic_attack_guid\":\"db020456-125b-4c8b-a4a7-487df8afb5a2\",\"atomic_attack_name\":\"ProtocolHandler.exe Downloaded a Suspicious File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"test_number\":13,\"atomic_attack_guid\":\"b1eeb683-90bb-4365-bbc2-2689015782fe\",\"atomic_attack_name\":\"LOLBAS CustomShellHost to Spawn Process\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"test_number\":15,\"atomic_attack_guid\":\"e5eedaed-ad42-4c1e-8783-19529738a349\",\"atomic_attack_name\":\"LOLBAS Msedge to Spawn Process\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":5,\"atomic_attack_guid\":\"882082f0-27c6-4eec-a43c-9aa80bccdb30\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with embedded JScript\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":6,\"atomic_attack_guid\":\"cf470d9a-58e7-43e5-b0d2-805dffc05576\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":7,\"atomic_attack_guid\":\"32eb3861-30da-4993-897a-42737152f5f8\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":8,\"atomic_attack_guid\":\"55080eb0-49ae-4f55-a440-4167b7974f79\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.009\",\"test_number\":1,\"atomic_attack_guid\":\"71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112\",\"atomic_attack_name\":\"Regasm Uninstall Method Call Test\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.009\",\"test_number\":2,\"atomic_attack_guid\":\"fd3c1c6a-02d2-4b72-82d9-71c527abb126\",\"atomic_attack_name\":\"Regsvcs Uninstall Method Call Test\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.010\",\"test_number\":3,\"atomic_attack_guid\":\"08ffca73-9a3d-471a-aeb0-68b4aa3ab37b\",\"atomic_attack_name\":\"Regsvr32 local DLL execution\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Regsvr32 Execution From Highly Suspicious Location\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"test_number\":1,\"atomic_attack_guid\":\"4700a710-c821-4e17-a3ec-9e4c81d6845f\",\"atomic_attack_name\":\"Windows - Discover domain trusts with dsquery\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"test_number\":3,\"atomic_attack_guid\":\"c58fbc62-8a62-489e-8f2d-3565d7d96f30\",\"atomic_attack_name\":\"Powershell enumerate domains and forests\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"test_number\":6,\"atomic_attack_guid\":\"f974894c-5991-4b19-aaf5-7cc2fe298c5d\",\"atomic_attack_name\":\"Get-DomainTrust with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Get-DomainTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domaintrust_with_powershell_script_block.yml\"},{\"rule_name\":\"Get-ForestTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_foresttrust_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1482\",\"test_number\":7,\"atomic_attack_guid\":\"58ed10e8-0738-4651-8408-3a3e9a526279\",\"atomic_attack_name\":\"Get-ForestTrust with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Get-DomainTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domaintrust_with_powershell_script_block.yml\"},{\"rule_name\":\"Get-ForestTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_foresttrust_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1484.001\",\"test_number\":1,\"atomic_attack_guid\":\"9ab80952-74ee-43da-a98c-1e740a985f28\",\"atomic_attack_name\":\"LockBit Black - Modify Group policy settings -cmd\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modify Group Policy Settings - ScriptBlockLogging\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml\"},{\"rule_name\":\"Modify Group Policy Settings\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1484.001\",\"test_number\":2,\"atomic_attack_guid\":\"b51eae65-5441-4789-b8e8-64783c26c1d1\",\"atomic_attack_name\":\"LockBit Black - Modify Group policy settings -Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modify Group Policy Settings - ScriptBlockLogging\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"test_number\":13,\"atomic_attack_guid\":\"42111a6f-7e7f-482c-9b1b-3cfd090b999c\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies via Diskshadow\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1491.001\",\"test_number\":1,\"atomic_attack_guid\":\"30558d53-9d76-41c4-9267-a7bd5184bed3\",\"atomic_attack_name\":\"Replace Desktop Wallpaper\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Replace Desktop Wallpaper by Powershell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1497.001\",\"test_number\":3,\"atomic_attack_guid\":\"502a7dc4-9d6f-4d28-abf2-f0e84692562d\",\"atomic_attack_name\":\"Detect Virtualization Environment (Windows)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Detect Virtualization Environment\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml\"}],\"splunk_rules\":[]}]" }, { "path": "automation/__init__.py", "content": "" }, { "path": "automation/atomic_handler.py", "content": "# automation/atomic_handler.py\n\nimport os\nimport re\nimport yaml\nimport logging\n\n# ATT&CK technique ID pattern: T followed by digits, optional .digits\n_TID_PATTERN = re.compile(r\"^T\\d+(\\.\\d+)?$\", re.I)\n\n\ndef get_all_technique_ids(atomics_path: str | None = None) -> list[str]:\n \"\"\"\n Discovers all technique IDs from the Atomic Red Team atomics folder.\n Returns sorted list of technique IDs (e.g. T1059.001, T1087.001, ...).\n \"\"\"\n from automation import config\n path = atomics_path or config.ATOMIC_TESTS_PATH\n if not os.path.isdir(path):\n return []\n result = []\n for name in os.listdir(path):\n if _TID_PATTERN.match(name):\n yaml_path = os.path.join(path, name, f\"{name}.yaml\")\n md_path = os.path.join(path, name, f\"{name}.md\")\n if os.path.isfile(yaml_path) or os.path.isfile(md_path):\n result.append(name.upper())\n return sorted(result)\n\n\nclass AtomicParser:\n \"\"\"\n Parses Atomic Red Team YAML files and returns structured test lists.\n Supports Attack Mapping: one report entry per Atomic Test.\n \"\"\"\n\n def __init__(self, atomics_path: str | None = None):\n from automation import config\n self.atomics_path = atomics_path or config.ATOMIC_TESTS_PATH\n\n def get_tests_for_technique(\n self, technique_id: str, platform_filter: str | None = \"windows\"\n ) -> list[dict]:\n \"\"\"\n Returns list of atomic tests for a technique.\n Each dict: test_number, name, guid, supported_platforms, ...\n \"\"\"\n test_data, _ = find_atomic_for_technique(technique_id, self.atomics_path)\n if not test_data or \"atomic_tests\" not in test_data:\n return []\n result = []\n for i, t in enumerate(test_data[\"atomic_tests\"], start=1):\n platforms = t.get(\"supported_platforms\") or []\n if isinstance(platforms, str):\n platforms = [platforms]\n platforms = [str(p).lower() for p in platforms if p]\n if platform_filter and platforms and platform_filter.lower() not in platforms:\n continue\n guid = t.get(\"auto_generated_guid\") or t.get(\"guid\") or \"\"\n result.append({\n \"test_number\": i,\n \"name\": t.get(\"name\", f\"Test {i}\"),\n \"guid\": guid,\n \"supported_platforms\": platforms,\n })\n return result\n\n\ndef find_atomic_for_technique(technique_id, atomics_path):\n \"\"\"\n Finds the Atomic Red Team test file and its path for a given ATT&CK technique ID.\n \"\"\"\n formatted_id = technique_id.upper()\n test_file_path = os.path.join(atomics_path, formatted_id, f\"{formatted_id}.yaml\")\n \n if not os.path.exists(test_file_path):\n test_file_path = os.path.join(atomics_path, formatted_id, f\"{formatted_id}.md\")\n if not os.path.exists(test_file_path):\n return None, None \n\n try:\n with open(test_file_path, 'r', encoding='utf-8') as f:\n if test_file_path.endswith('.md'):\n content = f.read()\n parts = content.split('---')\n if len(parts) >= 3:\n yaml_content = parts[1]\n test_data = yaml.safe_load(yaml_content)\n else:\n logging.warning(f\" -> Malformed markdown atomic file (no YAML front matter): {test_file_path}\")\n return None, None\n else:\n test_data = yaml.safe_load(f)\n \n if test_data and 'atomic_tests' in test_data:\n for atomic in test_data['atomic_tests']:\n if 'auto_generated_guid' in atomic:\n atomic['guid'] = atomic['auto_generated_guid']\n \n return test_data, test_file_path\n except Exception as e:\n logging.warning(f\" -> Could not parse atomic test file: {test_file_path}. Error: {e}\")\n return None, None\n\ndef prepare_command(atomic_test):\n \"\"\"\n Takes a single atomic test object and substitutes its input arguments\n to create a final, executable command.\n \n :param atomic_test: A dictionary representing a single test from the YAML.\n :return: A final, executable command string, or None.\n \"\"\"\n raw_command = atomic_test.get('executor', {}).get('command')\n if not raw_command:\n return None\n \n final_command = raw_command\n if atomic_test.get('input_arguments'):\n for arg_name, arg_details in atomic_test['input_arguments'].items():\n placeholder = f\"#{{{arg_name}}}\"\n default_value = arg_details.get('default')\n \n if default_value is not None:\n final_command = final_command.replace(placeholder, str(default_value))\n\n return final_command" }, { "path": "automation/config.py", "content": "import os\nimport logging\nfrom dotenv import load_dotenv\n\n# Find the project root directory\n# This file (config.py) -> parent is 'automation'\n# The parent of 'automation' is the Project Root (e.g., 'AttackRuleMap')\nPROJECT_ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))\n\n# Load .env early so repo paths can be overridden\ndotenv_path = os.path.join(PROJECT_ROOT, '.env')\nload_dotenv(dotenv_path=dotenv_path)\n\n# Repo base: default data/repos (managed by RepoManager); override via REPOS_BASE_PATH in .env\nDEPENDENCIES_PATH = os.path.join(PROJECT_ROOT, 'dependencies')\nREPOS_BASE_PATH = os.getenv(\"REPOS_BASE_PATH\", os.path.join(PROJECT_ROOT, \"data\", \"repos\"))\n\nSIGMA_REPO_PATH = os.getenv(\"SIGMA_REPO_PATH\", os.path.join(REPOS_BASE_PATH, \"sigma\"))\nESCU_REPO_PATH = os.getenv(\"ESCU_REPO_PATH\", os.path.join(REPOS_BASE_PATH, \"security_content\"))\nSIGMA_RULES_PATH = os.getenv(\"SIGMA_RULES_PATH\", os.path.join(SIGMA_REPO_PATH, \"rules\"))\nESCU_RULES_PATH = os.getenv(\"ESCU_RULES_PATH\", os.path.join(ESCU_REPO_PATH, \"detections\"))\nATOMIC_RED_TEAM_REPO = os.getenv(\"ATOMIC_RED_TEAM_REPO\", os.path.join(REPOS_BASE_PATH, \"atomic-red-team\"))\nATOMIC_TESTS_PATH = os.getenv(\"ATOMIC_TESTS_PATH\", os.path.join(ATOMIC_RED_TEAM_REPO, \"atomics\"))\n\n# --- Helpers ---\ndef _as_bool(val: str | None, default: bool = False) -> bool:\n if val is None:\n return default\n return str(val).strip().lower() in (\"1\", \"true\", \"yes\", \"on\")\n\n# Get Splunk connection details from the .env file\nSPLUNK_HOST = os.getenv(\"SPLUNK_HOST\", \"localhost\")\nSPLUNK_PORT = int(os.getenv(\"SPLUNK_PORT\", \"8089\"))\nSPLUNK_SCHEME = os.getenv(\"SPLUNK_SCHEME\", \"https\")\nSPLUNK_VERIFY_CERT = _as_bool(os.getenv(\"SPLUNK_VERIFY_CERT\"), False)\nSPLUNK_USERNAME = os.getenv(\"SPLUNK_USERNAME\", \"admin\")\nSPLUNK_PASSWORD = os.getenv(\"SPLUNK_PASSWORD\")\nSPLUNK_TOKEN = os.getenv(\"SPLUNK_TOKEN\") # If set, token-based auth will be used\nSPLUNK_SEARCH_INDEX = os.getenv(\"SPLUNK_SEARCH_INDEX\", \"main\")\n\n# Basic auth/token hints (DEBUG only - import runs before main's logging setup)\nif not SPLUNK_PASSWORD and not SPLUNK_TOKEN:\n logging.getLogger(__name__).debug(\"Neither SPLUNK_PASSWORD nor SPLUNK_TOKEN found in .env. Splunk connection may fail.\")\nif SPLUNK_PASSWORD and SPLUNK_TOKEN:\n logging.getLogger(__name__).debug(\"Both SPLUNK_TOKEN and SPLUNK_PASSWORD are set; token auth will be preferred.\")\n\n# --- Get VM connection details from the .env file ---\nVM_HOST = os.getenv(\"VM_HOST\")\nVM_HOSTNAME = os.getenv(\"VM_HOSTNAME\", VM_HOST)\nVM_USERNAME = os.getenv(\"VM_USERNAME\")\nVM_PASSWORD = os.getenv(\"VM_PASSWORD\")\nVM_SAFE_DIR = os.getenv(\"VM_SAFE_DIR\")\n\nATOMIC_MODULE_PATH = os.getenv(\"ATOMIC_MODULE_PATH\", r\"C:\\AtomicRedTeam\\invoke-atomicredteam\\Invoke-AtomicRedTeam.psd1\")\nATOMIC_ATOMICS_PATH = os.getenv(\"ATOMIC_ATOMICS_PATH\", r\"C:\\AtomicRedTeam\\atomics\")\n\n# --- Proxmox settings (from .env) ---\nPROXMOX_HOST = os.getenv(\"PROXMOX_HOST\")\nPROXMOX_USER = os.getenv(\"PROXMOX_USER\", \"root\")\nPROXMOX_PASSWORD = os.getenv(\"PROXMOX_PASSWORD\")\nPROXMOX_KEY_PATH = os.getenv(\"PROXMOX_KEY_PATH\") # Optional: SSH key instead of password\nPROXMOX_PORT = int(os.getenv(\"PROXMOX_SSH_PORT\", os.getenv(\"PROXMOX_PORT\", \"22\")))\nTARGET_VM_ID = os.getenv(\"TARGET_VM_ID\")\nTARGET_SNAPSHOT = os.getenv(\"TARGET_SNAPSHOT\")\n\n# --- Automation Settings from .env ---\n# Use only explicit seconds value; legacy minutes-based var removed\nSPLUNK_INDEX_WAIT_SECONDS = int(os.getenv(\"SPLUNK_INDEX_WAIT_SECONDS\", \"900\"))\n# Time padding around execution window when querying Splunk (seconds)\nSPLUNK_TIME_PAD_SECONDS = int(os.getenv(\"SPLUNK_TIME_PAD_SECONDS\", \"300\"))\n# Post-test wait (seconds) before powering off VM to allow UF to forward events\nPOST_EXEC_FORWARD_WAIT_SECONDS = int(os.getenv(\"POST_EXEC_FORWARD_WAIT_SECONDS\", \"30\"))\n\n# --- Per-test verification settings ---\nPER_TEST_VERIFICATION = _as_bool(os.getenv(\"PER_TEST_VERIFICATION\"), False)\nPER_TEST_VERIFY_TIMEOUT_SECONDS = int(os.getenv(\"PER_TEST_VERIFY_TIMEOUT_SECONDS\", \"180\"))\nPER_TEST_VERIFY_POLL_INTERVAL_SECONDS = int(os.getenv(\"PER_TEST_VERIFY_POLL_INTERVAL_SECONDS\", \"15\"))\n\n# --- Strict ingestion wait (keep VM up until events observed or timeout) ---\nPER_TEST_STRICT_INGESTION_WAIT = _as_bool(os.getenv(\"PER_TEST_STRICT_INGESTION_WAIT\"), False)\nPER_TEST_STRICT_MAX_WAIT_SECONDS = int(os.getenv(\"PER_TEST_STRICT_MAX_WAIT_SECONDS\", \"300\"))\nPER_TEST_INGESTION_POLL_INTERVAL_SECONDS = int(os.getenv(\"PER_TEST_INGESTION_POLL_INTERVAL_SECONDS\", \"10\"))\n# If true, abort remaining tests and leave VM running on ingestion timeout\nPER_TEST_ABORT_ON_INGESTION_TIMEOUT = _as_bool(os.getenv(\"PER_TEST_ABORT_ON_INGESTION_TIMEOUT\"), False)\n\n# --- VM command execution timeout (seconds) ---\nVM_COMMAND_TIMEOUT_SECONDS = int(os.getenv(\"VM_COMMAND_TIMEOUT_SECONDS\", \"600\"))\n\nATTACK_TIDS_DEFAULT = \"T1059.001,T1087.001,T1003.001\"\nATTACK_LIST = [t.strip().upper() for t in os.getenv(\"ATTACK_TIDS\", ATTACK_TIDS_DEFAULT).split(\",\") if t.strip()]\n\n# --- Output paths ---\n# Main report: dist/ for AJAX loading by index.html\nREPORT_JSON_PATH = os.path.join(PROJECT_ROOT, \"dist\", \"attack_rule_map.json\")\n# dist/ for MITRE layer and HTML (keeps root clean)\nDIST_PATH = os.path.join(PROJECT_ROOT, \"dist\")" }, { "path": "automation/dependency_handler.py", "content": "import os\nimport re\nimport shutil\nimport subprocess\nfrom pathlib import Path\nfrom urllib.parse import urlparse\nimport urllib.request\n\n# Define the repositories we depend on\nREPOSITORIES = {\n \"sigma\": \"https://github.com/SigmaHQ/sigma.git\",\n \"atomic-red-team\": \"https://github.com/redcanaryco/atomic-red-team.git\",\n \"escu\": \"https://github.com/splunk/security_content.git\"\n}\n\ndef check_and_update_dependencies(base_path):\n \"\"\"\n Checks for the existence of dependency repositories.\n Clones them if they don't exist, or pulls the latest changes if they do.\n\n :param base_path: The folder where the dependency repos should reside.\n \"\"\"\n print(\"[+] Checking and updating dependencies...\")\n os.makedirs(base_path, exist_ok=True)\n\n for name, url in REPOSITORIES.items():\n repo_path = os.path.join(base_path, name)\n\n if not os.path.isdir(repo_path):\n print(f\" -> '{name}' repository not found. Cloning from {url}...\")\n try:\n subprocess.run(\n [\"git\", \"clone\", url, repo_path], \n check=True, capture_output=True, text=True\n )\n print(f\" -> Successfully cloned '{name}'.\")\n except subprocess.CalledProcessError as e:\n print(f\" -> ERROR: Failed to clone '{name}'. Git error: {e.stderr}\")\n return False\n else:\n # If directory exists but is not a git repository, treat it as a vendored copy and skip updating\n if not os.path.isdir(os.path.join(repo_path, \".git\")):\n print(f\" -> '{name}' directory exists but is not a git repository. Using vendored copy (skip pull).\")\n continue\n\n print(f\" -> '{name}' repository found. Pulling latest changes...\")\n try:\n # We use -C flag to specify the repository path for git command\n subprocess.run(\n [\"git\", \"-C\", repo_path, \"pull\"], \n check=True, capture_output=True, text=True\n )\n print(f\" -> Successfully updated '{name}'.\")\n except subprocess.CalledProcessError as e:\n print(f\" -> ERROR: Failed to pull '{name}'. Git error: {e.stderr}\")\n return False\n \n print(\"[+] Dependencies are up to date.\")\n return True\n\n\ndef _download_file(url: str, dest_path: Path) -> bool:\n dest_path.parent.mkdir(parents=True, exist_ok=True)\n try:\n with urllib.request.urlopen(url) as r, open(dest_path, 'wb') as f:\n shutil.copyfileobj(r, f)\n return True\n except Exception as e:\n print(f\" -> ERROR: Failed to download {url}: {e}\")\n return False\n\n\ndef stage_atomic_dependencies_locally(atomic_test: dict, technique_dir: str, cache_dir: str) -> list[str]:\n \"\"\"Resolves and downloads common Atomic external payloads or URL-based dependencies into a local cache.\n\n Returns a list of absolute local file paths that should be uploaded to the VM safe dir.\n \"\"\"\n staged: list[str] = []\n cache = Path(cache_dir)\n cache.mkdir(parents=True, exist_ok=True)\n\n # 1) Handle explicit dependencies.source files in the atomic YAML\n for dep in (atomic_test.get('dependencies') or []):\n src = dep.get('source')\n if not src:\n continue\n local_path = Path(technique_dir) / src\n if local_path.exists():\n staged.append(str(local_path))\n\n # 2) Parse input_arguments defaults for URLs or PathToAtomicsFolder patterns\n for name, arg in (atomic_test.get('input_arguments') or {}).items():\n val = str(arg.get('default', '')).strip()\n if not val:\n continue\n # If URL, download to cache\n try:\n parsed = urlparse(val)\n if parsed.scheme in ('http', 'https') and parsed.netloc:\n fname = os.path.basename(parsed.path) or 'payload.bin'\n dest = cache / fname\n if _download_file(val, dest):\n staged.append(str(dest))\n continue\n except Exception:\n pass\n\n # If PathToAtomicsFolder reference, try to resolve file under repo and stage\n if 'PathToAtomicsFolder' in val:\n rel = val.split('PathToAtomicsFolder', 1)[1].lstrip('/\\\\')\n repo_root = Path(technique_dir).parents[2] # .../dependencies/atomic-red-team/atomics/\n full_local = repo_root / rel\n if full_local.exists():\n staged.append(str(full_local))\n else:\n # Sometimes ExternalPayloads path is up one level\n alt = repo_root.parent / rel\n if alt.exists():\n staged.append(str(alt))\n\n # 3) Heuristics: if commands reference well-known ExternalPayloads (e.g., PetitPotam.exe), try to find them in repo\n cmd = (atomic_test.get('executor') or {}).get('command', '')\n for m in re.findall(r\"[A-Za-z]:\\\\[^\\s\\\"']+|\\b[\\w\\-]+\\.exe\\b\", cmd):\n # If it's just a filename like PetitPotam.exe, locate under atomic-red-team/ExternalPayloads\n if not (':' in m or m.startswith('\\\\')) and m.lower().endswith('.exe'):\n repo = Path(technique_dir).parents[2]\n for cand in repo.parent.rglob(m):\n try:\n if cand.is_file():\n staged.append(str(cand))\n break\n except Exception:\n pass\n\n # Deduplicate\n return sorted(set(staged))" }, { "path": "automation/dynamic_generator.py", "content": "import os\nimport re\nimport sys\nimport json\nimport time\nimport logging\nimport glob\n\nfrom automation import config\nfrom automation import utils\nfrom automation import repo_manager\nfrom automation import report_handler\nfrom automation import vm_handler\nfrom automation import execution_handler\nfrom automation import splunk_handler\nfrom automation import atomic_handler\nfrom sigma.collection import SigmaCollection\nfrom sigma.backends.splunk import SplunkBackend\nfrom sigma.exceptions import SigmaError\n\n# Time-boxing: Do NOT use relative time (-2m, now). Only absolute epoch timestamps.\nRE_MACRO = re.compile(r\"%[^%\\s]+%\")\n\n# Sigma (pySigma) field names -> Splunk CIM (Common Information Model) field names\n# EventCode= alanına dokunulmaz (performans için indekste kalmalı)\nCIM_MAPPING = {\n # Process\n \"Image=\": \"process_name=\",\n \"ParentImage=\": \"parent_process_name=\",\n \"CommandLine=\": \"process=\",\n \"OriginalFileName=\": \"original_file_name=\",\n # User & Host\n \"User=\": \"user=\",\n \"Computer=\": \"dest=\",\n \"DestinationHostname=\": \"dest=\",\n # Network\n \"DestinationIp=\": \"dest_ip=\",\n \"DestinationPort=\": \"dest_port=\",\n \"SourceIp=\": \"src_ip=\",\n # Registry & File\n \"TargetObject=\": \"registry_path=\",\n \"Details=\": \"registry_value_data=\",\n \"TargetFilename=\": \"file_name=\",\n # PowerShell (Message alanı XML loglarında yaygın)\n \"ScriptBlockText=\": \"Message=\",\n \"ScriptBlockText IN\": \"Message IN\",\n \"field=ScriptBlockText\": \"field=Message\",\n}\n\n# GitHub raw URLs for rule links (master branch)\nSIGMA_RAW_BASE = \"https://raw.githubusercontent.com/SigmaHQ/sigma/master\"\nESCU_RAW_BASE = \"https://raw.githubusercontent.com/splunk/security_content/master\"\n\n\ndef _apply_cim_mapping(spl: str) -> str:\n \"\"\"Apply CIM-compliant field name replacements for Sigma->Splunk compatibility.\"\"\"\n if not spl or not isinstance(spl, str):\n return spl\n result = spl\n for old, new in sorted(CIM_MAPPING.items(), key=lambda x: -len(x[0])):\n result = result.replace(old, new)\n return result\n\n\ndef _normalize_sigma_spl_for_splunk(query: str) -> str:\n \"\"\"\n pySigma çıktısını Splunk için normalize eder.\n - Her zaman 'search index=*' ile başlatır (Splunk için zorunlu, tüm indeksler taranır)\n - '|' ile başlayan sorgularda 'search index=*' generating command olarak eklenir\n - pySigma newline+pipe formatını düzeltir\n \"\"\"\n q = (query or \"\").strip()\n if not q:\n return \"search index=*\"\n # Tüm index= ifadelerini kaldır (sonra index=* ekleyeceğiz)\n q = re.sub(r'\\bindex\\s*=\\s*[\"\\']?[^\"\\'\\s]*[\"\\']?\\s*', \"\", q, flags=re.I)\n q = q.strip()\n if not q:\n return \"search index=*\"\n # pySigma '*\\n| regex' formatını ' | regex' yap\n q = re.sub(r\"\\s*\\n\\s*\\|\", \" |\", q)\n q = q.strip()\n # Zaten 'search index=*' ile başlıyorsa dokunma\n if re.match(r\"search\\s+index\\s*=\\s*\\*\", q, re.I):\n return q\n # 'search ' ile başlıyorsa index=* ekle\n if q.lower().startswith(\"search \"):\n return re.sub(r\"^search\\s+\", \"search index=* \", q, count=1, flags=re.I)\n # '|' ile başlıyorsa: search index=* | ...\n if q.startswith(\"|\"):\n return \"search index=* \" + q\n # Basit ifade veya '*' ile başlıyorsa\n return f\"search index=* {q}\"\n\n\ndef _cim_search_only(query: str) -> str:\n \"\"\"VerificationEngine için: Sorguyu Splunk formatına getirir.\"\"\"\n return _normalize_sigma_spl_for_splunk(query)\n\n\nclass RuleMapper:\n def __init__(self):\n self.sigma_path = config.SIGMA_RULES_PATH\n self.escu_path = config.ESCU_RULES_PATH\n\n @staticmethod\n def _sanitize_escu_spl(search: str) -> str:\n if not search or not isinstance(search, str):\n return \"index=*\"\n s = search.strip()\n s = RE_MACRO.sub(\"*\", s)\n s = re.sub(r\"\\*+\", \"*\", s)\n if not s or s == \"|\":\n return \"index=*\"\n if not s.lower().startswith((\"search\", \"index=\", \"|\")):\n s = f\"search {s}\"\n return s\n\n @staticmethod\n def _sigma_file_to_spl(filepath: str) -> str | None:\n try:\n with open(filepath, \"r\", encoding=\"utf-8\") as f:\n rule_text = f.read()\n rules = SigmaCollection.from_yaml(rule_text)\n backend = SplunkBackend()\n result = backend.convert(rules)\n if isinstance(result, (list, tuple)):\n if result and isinstance(result[0], str) and result[0].strip():\n return result[0]\n elif isinstance(result, str) and result.strip():\n return result\n except (SigmaError, Exception) as e:\n logging.warning(\"Sigma->SPL failed %s: %s\", os.path.basename(filepath), e)\n return None\n\n def collect_for_technique(self, technique_id: str) -> tuple[list, list]:\n tid_upper = technique_id.upper()\n sigma_entries = []\n if os.path.isdir(self.sigma_path):\n for fp in glob.glob(os.path.join(self.sigma_path, \"**\", \"*.yml\"), recursive=True):\n doc = utils.load_yaml_file(fp)\n if not isinstance(doc, dict) or \"detection\" not in doc or \"title\" not in doc:\n continue\n tags = doc.get(\"tags\") or []\n if not isinstance(tags, list):\n continue\n for tag in tags:\n if isinstance(tag, str) and re.search(r\"attack\\.t\\d+(\\.\\d+)?\", tag, re.I):\n tech = tag.replace(\"attack.\", \"\").upper()\n if tech == tid_upper:\n title = doc.get(\"title\", os.path.basename(fp))\n spl = self._sigma_file_to_spl(fp)\n if spl:\n spl = _apply_cim_mapping(spl)\n spl = _normalize_sigma_spl_for_splunk(spl)\n rule_id = doc.get(\"id\") or \"\"\n rel_path = os.path.relpath(fp, config.SIGMA_REPO_PATH)\n rule_link = f\"{SIGMA_RAW_BASE}/{rel_path}\" if rel_path and not rel_path.startswith(\"..\") else \"\"\n sigma_entries.append({\n \"rule_name\": title,\n \"id\": rule_id,\n \"rule_link\": rule_link,\n \"generated_spl\": spl,\n })\n break\n\n escu_entries = []\n if os.path.isdir(self.escu_path):\n for fp in glob.glob(os.path.join(self.escu_path, \"**\", \"*.yml\"), recursive=True):\n doc = utils.load_yaml_file(fp)\n if not isinstance(doc, dict):\n continue\n search = doc.get(\"search\")\n if not search or not isinstance(search, str):\n continue\n tags = doc.get(\"tags\") or {}\n attack_ids = tags.get(\"mitre_attack_id\") or []\n if isinstance(attack_ids, (str, int)):\n attack_ids = [str(attack_ids)]\n if not isinstance(attack_ids, list):\n continue\n norm = [str(x).upper() for x in attack_ids if x]\n if tid_upper not in norm:\n continue\n title = doc.get(\"name\") or doc.get(\"title\") or os.path.basename(fp)\n sanitized = self._sanitize_escu_spl(search)\n rel_path = os.path.relpath(fp, config.ESCU_REPO_PATH)\n rule_link = f\"{ESCU_RAW_BASE}/{rel_path}\" if rel_path and not rel_path.startswith(\"..\") else \"\"\n file_path = rel_path if rel_path and not rel_path.startswith(\"..\") else fp\n escu_entries.append({\n \"rule_name\": title,\n \"file_path\": file_path,\n \"rule_link\": rule_link,\n \"original_spl\": search,\n \"sanitized_spl\": sanitized,\n })\n\n return sigma_entries, escu_entries\n\n\nclass AttackEngine:\n @staticmethod\n def run_attack(technique_id: str, test_number: int = 1) -> tuple[bool, float, float]:\n \"\"\"\n Run a single Atomic Test. VM revert/start must be done by caller.\n Returns (success, start_time_epoch, end_time_epoch) for strict time-boxed verification.\n \"\"\"\n if not vm_handler.is_vm_ready():\n logging.warning(\"VM not ready for %s\", technique_id)\n return False, 0.0, 0.0\n start_time = time.time()\n ok = execution_handler.run_invoke_atomic_test(technique_id, test_number)\n if not ok:\n vm_handler.stop_vm()\n return False, start_time, time.time()\n wait_sec = max(30, int(config.POST_EXEC_FORWARD_WAIT_SECONDS))\n logging.debug(\"Waiting %s seconds for logs to reach Splunk...\", wait_sec)\n time.sleep(wait_sec)\n end_time = time.time()\n vm_handler.stop_vm()\n return True, start_time, end_time\n\n\nclass VerificationEngine:\n def __init__(self, service):\n self.service = service\n\n def run(\n self,\n spl_query: str,\n rule_name: str = \"\",\n earliest_time: float | None = None,\n latest_time: float | None = None,\n ) -> tuple[bool, int]:\n \"\"\"\n Run Splunk verification for the given SPL query.\n REQUIRES earliest_time and latest_time (epoch floats) for strict time-boxing.\n No relative time (-2m, now) - prevents cross-contamination between sequential tests.\n \"\"\"\n if not spl_query or not spl_query.strip():\n return False, 0\n if earliest_time is None or latest_time is None:\n logging.error(\n \"Verification requires earliest_time and latest_time (epoch). \"\n \"Refusing to use relative time to prevent test cross-contamination.\"\n )\n return False, 0\n q = spl_query.strip()\n if not q.lower().startswith((\"search\", \"index=\", \"|\", \"tstats\")):\n q = f\"search {q}\"\n # Strict time-boxing: absolute epoch timestamps only\n earliest = int(earliest_time)\n latest = int(latest_time)\n full = _cim_search_only(q)\n label = rule_name or \"unknown\"\n logging.debug(\"[SPL DEBUG] [%s] Query: %s | Time: %s - %s (epoch)\", label, full, earliest, latest)\n try:\n job = self.service.jobs.create(\n full,\n exec_mode=\"blocking\",\n earliest_time=str(earliest),\n latest_time=str(latest),\n )\n try:\n job.refresh()\n except Exception:\n pass\n count = int((job.content or {}).get(\"resultCount\", 0))\n if count > 0:\n logging.info(\"\\033[92m[+] DETECTED: %s | Count: %s\\033[0m\", label, count)\n else:\n logging.debug(\"No results for [%s]. Search Time: %s to %s (epoch)\", label, earliest, latest)\n return count > 0, count\n except Exception as e:\n logging.warning(\"Verification search failed: %s\", e)\n return False, 0\n\n\nclass ReportGenerator:\n @staticmethod\n def build_entry(\n technique_id: str,\n test_number: int,\n atomic_name: str,\n atomic_attack_guid: str,\n platform: str,\n sigma_list: list,\n escu_list: list,\n ) -> dict:\n return {\n \"tech_id\": technique_id,\n \"test_number\": test_number,\n \"atomic_attack_guid\": atomic_attack_guid,\n \"atomic_attack_name\": atomic_name,\n \"platform\": platform,\n \"sigma_rules\": sigma_list,\n \"escu_rules\": escu_list,\n }\n\nclass DynamicDetectionLab:\n def __init__(self, technique_ids: list[str] | None = None):\n self.technique_ids = [t.strip().upper() for t in (technique_ids or config.ATTACK_LIST) if t]\n self.rule_mapper = RuleMapper()\n self.attack_engine = AttackEngine()\n self.report_generator = ReportGenerator()\n self._service = None\n\n @property\n def service(self):\n if self._service is None:\n self._service = splunk_handler.connect_to_splunk()\n return self._service\n\n def run(self) -> list:\n logging.info(\"[*] Ensuring repos (Sigma, ESCU, Atomic Red Team)...\")\n mgr = repo_manager.RepoManager()\n if not mgr.ensure_repos():\n logging.error(\"Repo setup failed. Aborting.\")\n return []\n\n if not self.service:\n logging.error(\"Splunk connection failed.\")\n return []\n\n verification = VerificationEngine(self.service)\n atomic_parser = atomic_handler.AtomicParser()\n report = []\n\n for technique_id in self.technique_ids:\n tid = technique_id.upper()\n tests = atomic_parser.get_tests_for_technique(tid, platform_filter=\"windows\")\n if not tests:\n logging.info(\"========== Technique %s (no Windows tests) ==========\", tid)\n continue\n\n sigma_spl_list, escu_spl_list = self.rule_mapper.collect_for_technique(tid)\n\n for test in tests:\n test_num = test[\"test_number\"]\n atomic_name = test[\"name\"]\n atomic_attack_guid = test[\"guid\"]\n platform = \",\".join(test.get(\"supported_platforms\", []) or [])\n\n logging.info(\"========== %s | Test #%s: %s ==========\", tid, test_num, atomic_name)\n\n sigma_results = [\n {\n \"rule_name\": r[\"rule_name\"],\n \"id\": r.get(\"id\", \"\"),\n \"rule_link\": r.get(\"rule_link\", \"\"),\n \"generated_spl\": r[\"generated_spl\"],\n \"detected\": False,\n \"log_count\": 0,\n }\n for r in sigma_spl_list\n ]\n escu_results = [\n {\n \"rule_name\": r[\"rule_name\"],\n \"file_path\": r.get(\"file_path\", \"\"),\n \"rule_link\": r.get(\"rule_link\", \"\"),\n \"original_spl\": r[\"original_spl\"],\n \"detected\": False,\n \"log_count\": 0,\n }\n for r in escu_spl_list\n ]\n\n if not vm_handler.revert_to_snapshot():\n logging.warning(\"Snapshot revert failed for %s Test #%s\", tid, test_num)\n report.append(\n self.report_generator.build_entry(\n tid, test_num, atomic_name, atomic_attack_guid, platform,\n sigma_results, escu_results\n )\n )\n continue\n if not vm_handler.start_vm():\n logging.warning(\"VM start failed for %s Test #%s\", tid, test_num)\n report.append(\n self.report_generator.build_entry(\n tid, test_num, atomic_name, atomic_attack_guid, platform,\n sigma_results, escu_results\n )\n )\n continue\n\n attack_ok, start_time, end_time = self.attack_engine.run_attack(tid, test_number=test_num)\n if not attack_ok:\n report.append(\n self.report_generator.build_entry(\n tid, test_num, atomic_name, atomic_attack_guid, platform,\n sigma_results, escu_results\n )\n )\n continue\n\n for i, r in enumerate(sigma_spl_list):\n detected, count = verification.run(\n r[\"generated_spl\"],\n rule_name=r[\"rule_name\"],\n earliest_time=start_time,\n latest_time=end_time,\n )\n sigma_results[i][\"detected\"] = detected\n sigma_results[i][\"log_count\"] = count\n\n for i, r in enumerate(escu_spl_list):\n detected, count = verification.run(\n r[\"sanitized_spl\"],\n rule_name=r[\"rule_name\"],\n earliest_time=start_time,\n latest_time=end_time,\n )\n escu_results[i][\"detected\"] = detected\n escu_results[i][\"log_count\"] = count\n\n report.append(\n self.report_generator.build_entry(\n tid, test_num, atomic_name, atomic_attack_guid, platform,\n sigma_results, escu_results\n )\n )\n\n handler = report_handler.ReportHandler()\n handler.save_report_json(report)\n return report\n\n\ndef run_dynamic_generator(technique_ids: list[str] | None = None) -> list:\n log_path = os.path.join(config.PROJECT_ROOT, \"dynamic_generator.log\")\n fh = logging.FileHandler(log_path, mode=\"w\")\n fh.setLevel(logging.DEBUG)\n sh = logging.StreamHandler()\n sh.setLevel(logging.INFO)\n logging.basicConfig(\n level=logging.DEBUG,\n format=\"%(asctime)s - %(levelname)s - %(message)s\",\n handlers=[fh, sh],\n )\n lab = DynamicDetectionLab(technique_ids=technique_ids)\n return lab.run()\n\n\nif __name__ == \"__main__\":\n run_dynamic_generator()\n" }, { "path": "automation/escu_handler.py", "content": "import os\nimport glob\nimport logging\nfrom automation import utils\n\n\ndef _normalize_status(raw: str | None) -> str:\n \"\"\"Map ESCU statuses to our pipeline statuses.\n\n production -> stable\n experimental -> experimental\n deprecated/other -> as-is (likely filtered later)\n \"\"\"\n if not raw:\n return 'stable'\n val = str(raw).strip().lower()\n if val == 'production':\n return 'stable'\n if val == 'experimental':\n return 'experimental'\n return val\n\n\ndef load_and_parse_rules(path: str):\n \"\"\"\n Scans for ESCU YAML detection files and extracts key rule info.\n\n Expected fields (Security Content format):\n - name: rule title\n - status: production/experimental/deprecated\n - search: SPL query string\n - tags.mitre_attack_id: list of MITRE technique IDs (e.g., [\"T1003.001\"]) \n - tags.asset_type: e.g., \"Windows\" (used to infer platform)\n \"\"\"\n logging.info(f\"Scanning for ESCU rules in: {path}\")\n yml_files = glob.glob(os.path.join(path, '**', '*.yml'), recursive=True)\n logging.info(f\" -> Found {len(yml_files)} YAML detection files.\")\n\n loaded_rules: list[dict] = []\n\n for file_path in yml_files:\n doc = utils.load_yaml_file(file_path)\n if not isinstance(doc, dict):\n continue\n\n title = doc.get('name') or doc.get('title')\n spl = doc.get('search')\n tags = (doc.get('tags') or {})\n attack_ids = tags.get('mitre_attack_id') or []\n # Normalize attack tags as uppercase technique IDs\n attack_tags = []\n if isinstance(attack_ids, list):\n attack_tags = [str(t).upper() for t in attack_ids if isinstance(t, (str, int))]\n elif isinstance(attack_ids, (str, int)):\n attack_tags = [str(attack_ids).upper()]\n\n if not title or not spl or not attack_tags:\n # Skip documents that don't have essential bits\n continue\n\n asset_type = (tags.get('asset_type') or '')\n platform = str(asset_type).strip().lower() if asset_type else ''\n\n loaded_rules.append({\n 'filepath': file_path,\n 'title': title,\n 'status': _normalize_status(doc.get('status')),\n 'platform': platform or 'windows' if str(asset_type).lower() == 'windows' else platform,\n 'is_escu': True,\n 'query': spl,\n 'attack_tags': list(set(attack_tags)),\n })\n\n logging.info(f\" -> Successfully loaded and parsed {len(loaded_rules)} valid ESCU rules with ATT&CK tags.\")\n return loaded_rules" }, { "path": "automation/execution_handler.py", "content": "import os\nimport logging\nimport re\nimport time\nimport paramiko\nfrom automation import config\nfrom automation import dependency_handler\nfrom automation import vm_handler\n\n\nclass PowerShellExecutor:\n def __init__(self):\n self.host = config.VM_HOST\n self.username = config.VM_USERNAME\n self.password = config.VM_PASSWORD\n self.port = 22\n self.timeout = max(30, int(config.VM_COMMAND_TIMEOUT_SECONDS))\n self._client = None\n\n def connect(self):\n if not self.host or not self.username or not self.password:\n logging.error(\"VM_HOST, VM_USERNAME, VM_PASSWORD must be set in .env\")\n return False\n try:\n self._client = paramiko.SSHClient()\n self._client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n self._client.connect(\n hostname=self.host,\n port=self.port,\n username=self.username,\n password=self.password,\n timeout=30,\n )\n return True\n except Exception as e:\n logging.error(\"PowerShellExecutor connect failed: %s\", e)\n logging.debug(\"[FAIL] SSH connection to %s: %s\", self.host, e)\n return False\n\n def disconnect(self):\n if self._client:\n try:\n self._client.close()\n except Exception:\n pass\n self._client = None\n\n def execute(self, command):\n if not self._client:\n if not self.connect():\n return (1, \"\", \"Connection failed\")\n try:\n full_cmd = f\"powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command \\\"{command}\\\"\"\n transport = self._client.get_transport()\n if not transport:\n return (1, \"\", \"SSH transport not available\")\n chan = transport.open_session()\n chan.settimeout(self.timeout)\n chan.exec_command(full_cmd)\n stdout_chunks = []\n stderr_chunks = []\n start = time.time()\n while True:\n if chan.recv_ready():\n stdout_chunks.append(chan.recv(4096))\n if chan.recv_stderr_ready():\n stderr_chunks.append(chan.recv_stderr(4096))\n if chan.exit_status_ready():\n break\n if time.time() - start > self.timeout:\n try:\n chan.close()\n except Exception:\n pass\n return (124, b\"\".join(stdout_chunks).decode(\"utf-8\", errors=\"ignore\"), f\"Timeout after {self.timeout}s\")\n time.sleep(0.1)\n status = chan.recv_exit_status()\n stdout = b\"\".join(stdout_chunks).decode(\"utf-8\", errors=\"ignore\")\n stderr = b\"\".join(stderr_chunks).decode(\"utf-8\", errors=\"ignore\")\n return (status, stdout, stderr)\n except Exception as e:\n logging.error(f\"PowerShellExecutor execute error: {e}\")\n return (1, \"\", str(e))\n\n\ndef run_invoke_atomic_test(technique_id=\"T1059.001\", test_number=1):\n executor = PowerShellExecutor()\n if not executor.connect():\n return False\n script = (\n \"try { Set-ItemProperty -Path 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319' -Name 'SchUseStrongCrypto' -Value 1 -Type DWord -Force -ErrorAction Stop; \"\n \"Set-ItemProperty -Path 'HKLM:\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319' -Name 'SchUseStrongCrypto' -Value 1 -Type DWord -Force -ErrorAction Stop } catch {}; \"\n \"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \"\n \"w32tm /resync /force; \"\n \"Restart-Service SplunkForwarder -Force -ErrorAction SilentlyContinue; \"\n \"Write-Host \\\"VM Current Time: $(Get-Date)\\\"; \"\n f\"Import-Module '{config.ATOMIC_MODULE_PATH}' -Force; \"\n f\"Invoke-AtomicTest {technique_id} -PathToAtomicsFolder '{config.ATOMIC_ATOMICS_PATH}' -TestNumbers {test_number} -TimeoutSeconds 120 -Confirm:$false\"\n )\n status, stdout, stderr = executor.execute(script)\n logging.debug(\"[CMD] %s\", script)\n logging.debug(\"[STDOUT] %s\", stdout)\n if stderr:\n logging.debug(\"[STDERR] %s\", stderr)\n if status == 0:\n logging.debug(\"[SUCCESS] Invoke-AtomicTest %s completed\", technique_id)\n else:\n logging.debug(\"[FAIL] Invoke-AtomicTest exit code %s\", status)\n executor.disconnect()\n return status == 0\n\n\ndef run_simple_encoded_command():\n script = \"Write-Host 'AttackRuleMap-Simulation'; Get-Date -Format 'yyyy-MM-dd HH:mm:ss'; whoami\"\n executor = PowerShellExecutor()\n if not executor.connect():\n return False\n status, stdout, stderr = executor.execute(script)\n print(f\"[CMD] {script}\")\n print(f\"[STDOUT] {stdout}\")\n if stderr:\n print(f\"[STDERR] {stderr}\")\n if status == 0:\n print(f\"[SUCCESS] EncodedCommand simulation completed\")\n else:\n print(f\"[FAIL] EncodedCommand exit code {status}\")\n executor.disconnect()\n return status == 0\n\n\ndef run_first_attack_simulation():\n if run_invoke_atomic_test(\"T1059.001\", 1):\n return True\n logging.debug(\"[FALLBACK] Invoke-AtomicTest failed, running simple EncodedCommand...\")\n return run_simple_encoded_command()\n\n\ndef run_first_attack_workflow():\n logging.debug(\"Starting first attack simulation workflow...\")\n logging.debug(\"=\" * 60)\n logging.debug(\"FIRST ATTACK SIMULATION WORKFLOW\")\n logging.debug(\"=\" * 60)\n if not vm_handler.revert_to_snapshot():\n logging.debug(\"[FAIL] Snapshot revert failed\")\n return False\n if not vm_handler.start_vm():\n logging.debug(\"[FAIL] VM start failed\")\n return False\n logging.debug(\"[WAIT] Waiting for VM to become ready...\")\n if not vm_handler.is_vm_ready():\n logging.debug(\"[FAIL] VM did not become ready\")\n return False\n logging.debug(\"[OK] VM is ready, triggering first attack simulation...\")\n success = run_first_attack_simulation()\n logging.debug(\"=\" * 60)\n if success:\n logging.debug(\"[WORKFLOW] First attack simulation completed successfully\")\n else:\n logging.debug(\"[WORKFLOW] First attack simulation failed\")\n logging.debug(\"=\" * 60)\n return success\n\n\ndef _create_ssh_client():\n \"\"\"Helper function to create and connect an SSH client.\"\"\"\n try:\n client = paramiko.SSHClient()\n client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n client.connect(\n hostname=config.VM_HOST, port=22,\n username=config.VM_USERNAME, password=config.VM_PASSWORD,\n timeout=30\n )\n return client\n except Exception as e:\n logging.error(f\"Failed to create SSH client. Exception: {e}\")\n return None\n\ndef _upload_file_sftp(client, local_path, remote_path):\n \"\"\"Uploads a single file to the remote VM using SFTP over the SSH connection.\"\"\"\n logging.debug(\" -> Uploading '%s' to '%s' via SFTP...\", os.path.basename(local_path), remote_path)\n try:\n sftp = client.open_sftp()\n sftp.put(local_path, remote_path)\n sftp.close()\n return True\n except Exception as e:\n logging.error(f\" -> ERROR: Failed to upload file '{local_path}'. Exception: {e}\")\n return False\n\ndef _build_arg_value_map(atomic_test: dict, safe_dir: str) -> dict:\n \"\"\"Builds a mapping from placeholders like #{arg} to rewritten values suitable for the VM.\n\n - Replaces PathToAtomicsFolder references with files uploaded into safe_dir.\n - If value looks like a file path (.exe, .dll, .ps1, etc.), point it to safe_dir\\filename\n \"\"\"\n mapping = {}\n for arg_name, arg_details in (atomic_test.get('input_arguments') or {}).items():\n default_value = str(arg_details.get('default', ''))\n # General path replacement for robust handling\n if \"PathToAtomicsFolder\" in default_value:\n relative_path = default_value.split(\"PathToAtomicsFolder\", 1)[1].strip('\\\\/')\n # This assumes the relative path is from the root of the atomic-red-team repo\n file_name = os.path.basename(relative_path.replace('\\\\', '/'))\n rewritten_path = f\"{safe_dir}\\\\{file_name}\"\n elif any(ext in default_value.lower() for ext in ['.exe', '.dll', '.dmp', '.ps1', '.bat', '.txt', '.csv', '.zip']):\n file_name = os.path.basename(default_value.replace('\\\\', '/'))\n rewritten_path = f\"{safe_dir}\\\\{file_name}\"\n else:\n rewritten_path = default_value\n\n mapping[f\"#{{{arg_name}}}\"] = rewritten_path\n return mapping\n\n\ndef _apply_rewrites_to_command(cmd_text: str, arg_map: dict, safe_dir: str) -> str:\n \"\"\"Apply placeholder and PathToAtomicsFolder rewrites to a command text.\"\"\"\n if not cmd_text:\n return cmd_text\n out = cmd_text\n # Replace input argument placeholders\n for ph, val in arg_map.items():\n out = out.replace(ph, val)\n # Replace PathToAtomicsFolder tokens with C:\\\\Atomic-Tests first (canonical), then ensure any path-like\n # values referring to ExternalPayloads map to our safe_dir uploads as a fallback.\n out = out.replace('PathToAtomicsFolder', 'C:\\\\Atomic-Tests')\n return out\n\n\ndef _normalize_command_for_executor(command_text: str, executor_name: str) -> str:\n \"\"\"PowerShell/cmd friendly inline script formatting. Joins multiline scripts safely.\"\"\"\n if not command_text:\n return command_text\n # Collapse lines for inline -Command usage\n lines = [ln.strip() for ln in re.split(r\"\\r?\\n\", command_text) if ln.strip()]\n if executor_name == 'powershell':\n return '; '.join(lines)\n elif executor_name == 'cmd':\n return ' & '.join(lines)\n return command_text\n\n\ndef _exec_on_vm(client, command_text: str, executor_name: str):\n \"\"\"Execute the given command on VM using specified executor (powershell/cmd) with timeout.\"\"\"\n if executor_name == 'powershell':\n full_command_to_run = f\"powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command \\\"{command_text}\\\"\"\n elif executor_name == 'cmd':\n full_command_to_run = f\"cmd /c \\\"{command_text}\\\"\"\n else:\n return (1, \"\", f\"Unsupported executor: {executor_name}\")\n\n timeout = max(30, int(config.VM_COMMAND_TIMEOUT_SECONDS))\n\n try:\n # Set up a non-blocking read with timeout on the channel\n transport = client.get_transport()\n if transport is None:\n return (1, \"\", \"SSH transport not available\")\n chan = transport.open_session()\n chan.settimeout(timeout)\n chan.exec_command(full_command_to_run)\n\n stdout_chunks = []\n stderr_chunks = []\n start_time = time.time()\n while True:\n if chan.recv_ready():\n stdout_chunks.append(chan.recv(4096))\n if chan.recv_stderr_ready():\n stderr_chunks.append(chan.recv_stderr(4096))\n if chan.exit_status_ready():\n break\n if time.time() - start_time > timeout:\n try:\n chan.close()\n except Exception:\n pass\n return (124, b''.join(stdout_chunks).decode('utf-8', errors='ignore'),\n f\"Command timed out after {timeout}s\")\n time.sleep(0.1)\n\n status_code = chan.recv_exit_status()\n std_out_str = b''.join(stdout_chunks).decode('utf-8', errors='ignore')\n std_err_str = b''.join(stderr_chunks).decode('utf-8', errors='ignore')\n return (status_code, std_out_str, std_err_str)\n except Exception as e:\n logging.error(f\" -> ERROR: Failed to execute SSH command. Exception: {e}\")\n return (1, \"\", str(e))\n\n\ndef run_test_on_vm(atomic_test, test_technique_path):\n \"\"\"\n Handles the entire execution process for a single atomic test via SSH,\n including dependency uploads and path rewriting.\n \"\"\"\n client = _create_ssh_client()\n if not client:\n return (1, \"\", \"Could not establish SSH connection.\")\n\n safe_dir = config.VM_SAFE_DIR or \"C:\\\\Atomic-Tests\"\n \n # Ensure safe dir exists on remote\n try:\n stdin, stdout, stderr = client.exec_command(f'powershell -Command \"New-Item -Path \\\"{safe_dir}\\\" -ItemType Directory -Force | Out-Null\"')\n stdout.channel.recv_exit_status()\n except Exception as e:\n logging.warning(f\" -> Could not ensure remote safe dir exists: {e}\")\n\n # Seed C:\\Atomic-Tests path as well (many atomics assume it)\n try:\n stdin, stdout, stderr = client.exec_command('powershell -Command \"New-Item -Path \\\"C:\\\\Atomic-Tests\\\" -ItemType Directory -Force | Out-Null\"')\n stdout.channel.recv_exit_status()\n except Exception as e:\n logging.debug(f\" -> Could not create C:\\\\Atomic-Tests: {e}\")\n\n # --- 1. Handle Dependencies ---\n # 1a) Resolve and stage locally (download URLs / ExternalPayloads)\n local_cache = os.path.join(config.DEPENDENCIES_PATH, 'atomic-cache')\n staged_files = dependency_handler.stage_atomic_dependencies_locally(atomic_test, test_technique_path, local_cache)\n for lf in staged_files:\n try:\n remote_filename = os.path.basename(lf.replace('\\\\', '/'))\n remote_path_safe = f\"{safe_dir.replace('\\\\','/')}/{remote_filename}\"\n remote_path_atomic = f\"C:/Atomic-Tests/{remote_filename}\"\n _upload_file_sftp(client, lf, remote_path_safe)\n # also copy into C:\\Atomic-Tests for tests that reference that path\n client.exec_command(f'powershell -Command \"Copy-Item -Force \\\"{remote_path_safe}\\\" -Destination \\\"{remote_path_atomic}\\\"\"')\n except Exception as e:\n logging.warning(f\" -> Failed to upload staged file '{lf}': {e}\")\n if 'dependencies' in atomic_test and atomic_test['dependencies']:\n logging.debug(\"Handling dependencies (file copies)...\")\n for dep in atomic_test['dependencies']:\n if 'source' in dep and 'destination' in dep:\n local_dep_path = os.path.join(test_technique_path, dep['source'])\n remote_filename = os.path.basename(dep['destination'].replace('\\\\', '/'))\n remote_dep_path = f\"{safe_dir.replace('\\\\', '/')}/{remote_filename}\"\n\n if not os.path.exists(local_dep_path):\n logging.warning(f\" -> Dependency file not found on host: {local_dep_path}. Skipping upload.\")\n continue\n _upload_file_sftp(client, local_dep_path, remote_dep_path)\n\n # Opportunistic: place any referenced ExternalPayloads (if copied by prepare_command replacements) into safe dir alias path\n try:\n # Create a symlink-like copy location so C:\\Atomic-Tests resolves to safe_dir content when we staged files there\n # Simple approach: nothing to do here beyond creating C:\\Atomic-Tests; uploads above use safe_dir\n pass\n except Exception:\n pass\n \n # --- 2. Run dependency prereq commands if defined ---\n dep_executor = atomic_test.get('dependency_executor_name', 'powershell')\n arg_map = _build_arg_value_map(atomic_test, safe_dir)\n for dep in (atomic_test.get('dependencies') or []):\n prereq_cmd = dep.get('prereq_command')\n get_prereq_cmd = dep.get('get_prereq_command')\n if not prereq_cmd:\n continue\n\n pre_cmd = _apply_rewrites_to_command(prereq_cmd, arg_map, safe_dir)\n pre_cmd = _normalize_command_for_executor(pre_cmd, dep_executor)\n logging.debug(\" -> Checking dependency prereq on VM...\")\n status, so, se = _exec_on_vm(client, pre_cmd, dep_executor)\n if status == 0:\n continue\n\n if get_prereq_cmd:\n fix_cmd = _apply_rewrites_to_command(get_prereq_cmd, arg_map, safe_dir)\n fix_cmd = _normalize_command_for_executor(fix_cmd, dep_executor)\n logging.debug(\" -> Attempting to satisfy prereq on VM...\")\n status_fix, so_fix, se_fix = _exec_on_vm(client, fix_cmd, dep_executor)\n if status_fix != 0:\n client.close()\n return (1, so_fix, f\"Prereq remediation failed: {se_fix}\")\n\n # Re-check prereq\n status2, so2, se2 = _exec_on_vm(client, pre_cmd, dep_executor)\n if status2 != 0:\n client.close()\n return (1, so2, f\"Prereq check still failing after remediation: {se2}\")\n else:\n client.close()\n return (1, so, f\"Prereq failed and no get_prereq_command provided: {se}\")\n\n # --- 3. Prepare Command ---\n executor = atomic_test.get('executor', {})\n raw_command = executor.get('command')\n executor_name = executor.get('name')\n\n if not raw_command or not executor_name:\n client.close()\n return (1, \"\", \"Command or executor name not found in atomic test definition.\")\n \n arg_map = _build_arg_value_map(atomic_test, safe_dir)\n final_command = _apply_rewrites_to_command(raw_command, arg_map, safe_dir)\n final_command = _normalize_command_for_executor(final_command, executor_name)\n\n # --- 3. Execute Command with the correct executor ---\n logging.debug(\" -> Executing on VM via SSH (Executor: %s): %s\", executor_name, final_command)\n status_code, std_out_str, std_err_str = _exec_on_vm(client, final_command, executor_name)\n client.close()\n return (status_code, std_out_str, std_err_str)" }, { "path": "automation/main.py", "content": "import os\nimport sys\nimport argparse\nimport logging\nfrom datetime import datetime\n\n_project_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))\nif _project_root not in sys.path:\n sys.path.insert(0, _project_root)\n\nfrom automation import config\nfrom automation import atomic_handler\nfrom automation import dynamic_generator\nfrom automation import report_handler\n\nCYAN = \"\\033[36m\"\nGREEN = \"\\033[32m\"\nBOLD = \"\\033[1m\"\nRESET = \"\\033[0m\"\n\n\ndef banner():\n print()\n print(f\"{CYAN}{BOLD}[*] Starting Detection Lab Pipeline...{RESET}\")\n print(f\"{CYAN} Rule-Based Verification (Sigma + ESCU -> SPL){RESET}\")\n print(f\"{CYAN} Output: {config.REPORT_JSON_PATH}{RESET}\")\n print()\n\n\ndef setup_logging(verbose: bool = False):\n run_ts = datetime.now().strftime(\"%Y%m%d_%H%M%S\")\n log_path = os.path.join(config.PROJECT_ROOT, f\"automation_run_{run_ts}.log\")\n fh = logging.FileHandler(log_path, mode=\"w\")\n fh.setLevel(logging.DEBUG)\n sh = logging.StreamHandler()\n sh.setLevel(logging.DEBUG if verbose else logging.INFO)\n logging.basicConfig(\n level=logging.DEBUG,\n format=\"%(asctime)s - %(levelname)s - %(message)s\",\n datefmt=\"%H:%M:%S\",\n handlers=[fh, sh],\n )\n for _logger in (\"splunklib\", \"urllib3\", \"paramiko\"):\n logging.getLogger(_logger).setLevel(logging.WARNING)\n\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"AttackRuleMap Detection Lab — run atomic tests and verify with Sigma/ESCU rules.\",\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=\"\"\"\nExamples:\n python -m automation.main --all\n python -m automation.main --tid T1059.001\n python -m automation.main --tid T1059.001 --tid T1087.001\n python -m automation.main -v --tid T1059.001\n python -m automation.main --mitre-only # Only regenerate MITRE layers from attack_rule_map.json\n \"\"\",\n )\n group = parser.add_mutually_exclusive_group(required=True)\n group.add_argument(\n \"--all\",\n action=\"store_true\",\n help=\"Run all techniques from config (ATTACK_LIST / ATTACK_TIDS).\",\n )\n group.add_argument(\n \"--tid\",\n dest=\"tids\",\n action=\"append\",\n metavar=\"TID\",\n help=\"Run only the given technique ID (e.g. T1059.001). Can be repeated.\",\n )\n group.add_argument(\n \"--mitre-only\",\n action=\"store_true\",\n help=\"Only regenerate MITRE layer files from attack_rule_map.json (no lab run).\",\n )\n parser.add_argument(\n \"-v\",\n \"--verbose\",\n action=\"store_true\",\n help=\"Enable DEBUG logging (SPL queries, operational details).\",\n )\n args = parser.parse_args()\n\n setup_logging(verbose=args.verbose)\n banner()\n\n if args.mitre_only:\n logging.info(\"%s[*] Mode: --mitre-only (regenerating layers from attack_rule_map.json)%s\", GREEN, RESET)\n handler = report_handler.ReportHandler()\n paths = handler.generate_mitre_layers()\n print()\n logging.info(\"%s[*] MITRE layer generation finished.%s\", CYAN + BOLD, RESET)\n for p in paths:\n logging.info(\"%s %s%s\", GREEN, p, RESET)\n if not paths:\n logging.warning(\"No layers created. Ensure dist/attack_rule_map.json exists.\")\n print()\n return\n\n if args.all:\n from automation import repo_manager\n mgr = repo_manager.RepoManager()\n if not mgr.ensure_repos():\n logging.error(\"Repo setup failed. Cannot discover techniques.\")\n technique_ids = config.ATTACK_LIST\n else:\n technique_ids = atomic_handler.get_all_technique_ids()\n if not technique_ids:\n logging.warning(\"No techniques found in Atomic Red Team repo. Using ATTACK_TIDS from config.\")\n technique_ids = config.ATTACK_LIST\n logging.info(\"%s[*] Mode: --all (%s techniques)%s\", GREEN, len(technique_ids), RESET)\n else:\n technique_ids = [t.strip().upper() for t in args.tids if t]\n logging.info(\"%s[*] Mode: --tid %s%s\", GREEN, \", \".join(technique_ids), RESET)\n\n # Time-boxing: DynamicDetectionLab captures test_start_time before each atomic test,\n # test_end_time after the 30s indexing buffer, and passes them to Splunk verification\n # to prevent cross-contamination between sequential tests (no relative -2m/now).\n lab = dynamic_generator.DynamicDetectionLab(technique_ids=technique_ids)\n report = lab.run()\n\n handler = report_handler.ReportHandler()\n if report:\n handler.print_coverage_stats(report)\n handler.generate_mitre_layers()\n\n print()\n logging.info(\"%s[*] Detection Lab Pipeline finished.%s\", CYAN + BOLD, RESET)\n logging.info(\"%s Techniques run: %s%s\", GREEN, len(report), RESET)\n out_path = config.REPORT_JSON_PATH\n logging.info(\"%s Report: %s%s\", GREEN, out_path, RESET)\n print()\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "automation/repo_manager.py", "content": "import os\nimport sys\nimport subprocess\nimport logging\n\nfrom automation import config\n\nREPOS = [\n (\"sigma\", \"https://github.com/SigmaHQ/sigma.git\"),\n (\"security_content\", \"https://github.com/splunk/security_content.git\"),\n (\"atomic-red-team\", \"https://github.com/redcanaryco/atomic-red-team.git\"),\n]\n\n\nclass RepoManager:\n def __init__(self, base_path: str | None = None):\n self.base_path = base_path or config.REPOS_BASE_PATH\n\n def _run_git(self, cmd: list[str], cwd: str | None = None) -> tuple[bool, str]:\n try:\n r = subprocess.run(\n cmd,\n cwd=cwd or self.base_path,\n capture_output=True,\n text=True,\n timeout=300,\n )\n out = (r.stdout or \"\").strip() + (r.stderr or \"\").strip()\n return r.returncode == 0, out\n except subprocess.TimeoutExpired:\n return False, \"Timeout\"\n except Exception as e:\n return False, str(e)\n\n def _clone(self, name: str, url: str) -> bool:\n target = os.path.join(self.base_path, name)\n logging.debug(\"[*] Cloning %s...\", name)\n ok, out = self._run_git([\"git\", \"clone\", \"--depth\", \"1\", url, target], cwd=self.base_path)\n if ok:\n logging.debug(\"[*] Cloned %s into %s\", name, target)\n else:\n logging.warning(\"[*] Clone failed for %s: %s\", name, out)\n return ok\n\n def _pull(self, name: str) -> bool:\n target = os.path.join(self.base_path, name)\n logging.debug(\"[*] Updating %s...\", name)\n ok, out = self._run_git([\"git\", \"pull\", \"--rebase\"], cwd=target)\n if ok:\n logging.debug(\"[*] Updated %s\", name)\n else:\n logging.warning(\"[*] Pull failed for %s (using existing): %s\", name, out)\n return ok\n\n def ensure_repos(self) -> bool:\n os.makedirs(self.base_path, exist_ok=True)\n any_failed = False\n for name, url in REPOS:\n target = os.path.join(self.base_path, name)\n if not os.path.isdir(target):\n if not self._clone(name, url):\n any_failed = True\n if not os.path.isdir(target):\n logging.error(\"[*] Repo %s missing and clone failed. Cannot continue.\", name)\n return False\n else:\n self._pull(name)\n return True\n" }, { "path": "automation/report_handler.py", "content": "import json\nimport os\nimport logging\nimport csv\nfrom datetime import datetime\n\nfrom automation import config\n\n\nclass ReportHandler:\n \"\"\"Handles report generation, ATT&CK Navigator layer, and coverage statistics.\"\"\"\n\n def generate_cors_headers(self) -> None:\n \"\"\"Write a _headers file in config.DIST_PATH to allow cross-origin requests from MITRE Navigator.\"\"\"\n os.makedirs(config.DIST_PATH, exist_ok=True)\n headers_path = os.path.join(config.DIST_PATH, \"_headers\")\n content = (\n \"/*\\n\"\n \" Access-Control-Allow-Origin: https://mitre-attack.github.io\\n\"\n \" Access-Control-Allow-Methods: GET, OPTIONS\\n\"\n \" Access-Control-Allow-Headers: *\\n\"\n )\n with open(headers_path, \"w\", encoding=\"utf-8\") as f:\n f.write(content)\n logging.info(\"CORS headers file created: %s\", headers_path)\n\n def generate_mitre_layers(self) -> list[str]:\n \"\"\"\n Generate 3 MITRE ATT&CK Navigator layers from attack_rule_map.json:\n - mitre_layer_sigma.json: Sigma rule coverage\n - mitre_layer_splunk.json: Splunk/ESCU rule coverage\n - mitre_layer_combined.json: Sigma OR Splunk detected\n\n Uses the merged report on disk (attack_rule_map.json). In ultra-lite format,\n presence of rules in sigma_rules/splunk_rules means they were detected.\n Returns:\n List of paths to the generated layer files.\n \"\"\"\n path = config.REPORT_JSON_PATH\n if not os.path.isfile(path):\n logging.warning(\"No attack_rule_map.json found. Skipping MITRE layer generation.\")\n return []\n\n try:\n with open(path, \"r\", encoding=\"utf-8\") as f:\n data = json.load(f)\n except (json.JSONDecodeError, OSError) as e:\n logging.warning(\"Could not load attack_rule_map.json: %s\", e)\n return []\n\n data = data if isinstance(data, list) else []\n if not data:\n logging.warning(\"attack_rule_map.json is empty. Skipping MITRE layer generation.\")\n return []\n\n os.makedirs(config.DIST_PATH, exist_ok=True)\n\n # Aggregate stats per technique: total, sigma_detected, splunk_detected\n technique_stats: dict[str, dict[str, int]] = {}\n for entry in data:\n tid = (entry.get(\"tech_id\") or entry.get(\"technique_id\") or \"\").strip().upper()\n if not tid:\n continue\n if tid not in technique_stats:\n technique_stats[tid] = {\"total\": 0, \"sigma\": 0, \"splunk\": 0}\n technique_stats[tid][\"total\"] += 1\n\n sigma_rules = entry.get(\"sigma_rules\", [])\n splunk_rules = entry.get(\"escu_rules\", entry.get(\"splunk_rules\", []))\n # Ultra-lite: rules in list = detected (no \"detected\" field)\n has_sigma = bool(sigma_rules)\n has_splunk = bool(splunk_rules)\n if has_sigma:\n technique_stats[tid][\"sigma\"] += 1\n if has_splunk:\n technique_stats[tid][\"splunk\"] += 1\n\n def build_layer(name: str, description: str, detected_key: str) -> dict:\n techniques = []\n for tid, stats in sorted(technique_stats.items()):\n total = stats[\"total\"]\n detected = stats[detected_key]\n score = int(round((detected / total * 100))) if total > 0 else 0\n techniques.append({\n \"techniqueID\": tid,\n \"score\": score,\n \"color\": \"\",\n \"comment\": f\"Tests: {total} | Detected: {detected} | Coverage: %{score}\",\n \"enabled\": True,\n \"metadata\": []\n })\n return {\n \"name\": name,\n \"versions\": {\"attack\": \"18\", \"navigator\": \"5.3.0\", \"layer\": \"4.5\"},\n \"domain\": \"enterprise-attack\",\n \"description\": description,\n \"filters\": {\"platforms\": [\"Windows\"]},\n \"sorting\": 3,\n \"layout\": {\n \"layout\": \"side\",\n \"aggregateFunction\": \"average\",\n \"showID\": False,\n \"showName\": True,\n \"showAggregateScores\": False,\n \"countUnscored\": False\n },\n \"hideDisabled\": False,\n \"techniques\": techniques,\n \"gradient\": {\"colors\": [\"#ff6666\", \"#ffe766\", \"#8ec843\"], \"minValue\": 0, \"maxValue\": 100}\n }\n\n # Combined: sigma OR splunk counts as detected\n for tid in technique_stats:\n technique_stats[tid][\"combined\"] = 0\n for entry in data:\n tid = (entry.get(\"tech_id\") or entry.get(\"technique_id\") or \"\").strip().upper()\n if not tid or tid not in technique_stats:\n continue\n has_sigma = bool(entry.get(\"sigma_rules\", []))\n has_splunk = bool(entry.get(\"escu_rules\", entry.get(\"splunk_rules\", [])))\n if has_sigma or has_splunk:\n technique_stats[tid][\"combined\"] += 1\n\n # Remove legacy single layer file if present\n legacy_path = os.path.join(config.DIST_PATH, \"mitre_layer.json\")\n if os.path.isfile(legacy_path):\n try:\n os.remove(legacy_path)\n logging.info(\"Removed legacy mitre_layer.json\")\n except OSError as e:\n logging.warning(\"Could not remove legacy mitre_layer.json: %s\", e)\n\n layers_config = [\n (\"mitre_layer_sigma.json\", \"ARM - Sigma Detection Coverage\", \"Sigma rule coverage\", \"sigma\"),\n (\"mitre_layer_splunk.json\", \"ARM - Splunk Detection Coverage\", \"Splunk/ESCU rule coverage\", \"splunk\"),\n (\"mitre_layer_combined.json\", \"ARM - Sigma + Splunk Detection Coverage\", \"Sigma OR Splunk coverage\", \"combined\"),\n ]\n\n output_paths = []\n for filename, layer_name, description, key in layers_config:\n layer = build_layer(layer_name, description, key)\n output_file = os.path.join(config.DIST_PATH, filename)\n with open(output_file, \"w\", encoding=\"utf-8\") as f:\n json.dump(layer, f, indent=4)\n logging.info(\"MITRE Layer created: %s (%s techniques)\", output_file, len(layer[\"techniques\"]))\n output_paths.append(output_file)\n\n self.generate_cors_headers()\n return output_paths\n\n def _log_rule_details(self, entry: dict, rule_list: list, rule_type: str) -> None:\n \"\"\"Log full rule details (event_count, SPL) before filtering. DEBUG level = file only, not terminal.\"\"\"\n tid = entry.get(\"tech_id\", \"\")\n test_num = entry.get(\"test_number\", \"\")\n atomic_name = entry.get(\"atomic_attack_name\", \"\")\n for r in rule_list:\n name = r.get(\"rule_name\", \"\")\n detected = r.get(\"detected\", False)\n event_count = r.get(\"log_count\", r.get(\"event_count\", 0))\n spl = r.get(\"generated_spl\") or r.get(\"original_spl\") or r.get(\"sanitized_spl\") or \"\"\n logging.debug(\n \"[RULE_DETAIL] tech_id=%s test=%s atomic=%s type=%s rule=%s detected=%s event_count=%s spl=%s\",\n tid, test_num, atomic_name, rule_type, name, detected, event_count,\n spl[:200] + \"...\" if len(spl) > 200 else spl,\n )\n\n def _build_ultra_lite(self, merged: list) -> list:\n \"\"\"\n Build Ultra-Lite JSON: filter detected-only rules, strip to rule_name+rule_link.\n Does NOT modify the original merged list.\n \"\"\"\n lite = []\n for entry in merged:\n e = dict(entry)\n # Filter sigma_rules: keep only detected=True (or legacy entries without detected field)\n sigma = e.get(\"sigma_rules\", [])\n sigma_lite = [\n {\"rule_name\": r.get(\"rule_name\", \"\"), \"rule_link\": r.get(\"rule_link\", \"\")}\n for r in sigma\n if r.get(\"detected\", True) # Legacy: no 'detected' -> include\n ]\n e[\"sigma_rules\"] = sigma_lite\n\n # escu_rules and splunk_rules: normalize to splunk_rules for dashboard\n escu = e.get(\"escu_rules\", e.get(\"splunk_rules\", []))\n escu_lite = [\n {\"rule_name\": r.get(\"rule_name\", \"\"), \"rule_link\": r.get(\"rule_link\", \"\")}\n for r in escu\n if r.get(\"detected\", True) # Legacy: no 'detected' -> include\n ]\n e[\"splunk_rules\"] = escu_lite\n if \"escu_rules\" in e:\n del e[\"escu_rules\"]\n if not sigma_lite and not escu_lite:\n continue\n lite.append(e)\n return lite\n\n def _merge_rule_lists(self, existing_rules: list, new_rules: list) -> list:\n \"\"\"\n Merge two rule lists by rule_name. No duplicate rule names.\n Order: existing first, then new rules whose rule_name is not already present.\n \"\"\"\n seen_names = {r.get(\"rule_name\") for r in existing_rules if r.get(\"rule_name\")}\n out = list(existing_rules)\n for r in new_rules:\n name = r.get(\"rule_name\")\n if name and name not in seen_names:\n seen_names.add(name)\n out.append(r)\n return out\n\n def save_report_json(self, new_results: list) -> str:\n \"\"\"\n Deep Merge by attack GUID: Save report preserving existing data and extending\n rule lists when the same atomic test (same GUID) exists in both existing and new.\n - If attack_rule_map.json exists: merge by atomic_attack_guid.\n - If GUID exists: do NOT overwrite; merge sigma_rules and splunk_rules (no duplicate rule names).\n - If GUID does not exist: append new entry as is.\n - Normalizes technique_id -> tech_id so output schema matches attack_rule_map.json.\n - Produces Ultra-Lite JSON: detected-only rules, rule_name+rule_link, minified.\n - Full details (event_count, SPL) are logged before filtering.\n \"\"\"\n path = config.REPORT_JSON_PATH\n os.makedirs(os.path.dirname(path), exist_ok=True)\n\n def _normalize_entry(e: dict) -> dict:\n \"\"\"Map technique_id -> tech_id for schema consistency; remove technique_id.\"\"\"\n entry = dict(e)\n tid = entry.get(\"tech_id\") or entry.get(\"technique_id\")\n if tid:\n entry[\"tech_id\"] = str(tid).upper() if isinstance(tid, str) else tid\n if \"technique_id\" in entry:\n del entry[\"technique_id\"]\n return entry\n\n normalized = [_normalize_entry(e) for e in new_results]\n new_by_guid: dict = {}\n for e in normalized:\n guid = (e.get(\"atomic_attack_guid\") or \"\").strip()\n if not guid:\n continue\n if guid not in new_by_guid:\n new_by_guid[guid] = dict(e)\n new_by_guid[guid][\"sigma_rules\"] = list(e.get(\"sigma_rules\", []))\n new_by_guid[guid][\"splunk_rules\"] = list(\n e.get(\"escu_rules\") or e.get(\"splunk_rules\", [])\n )\n if \"escu_rules\" in new_by_guid[guid]:\n del new_by_guid[guid][\"escu_rules\"]\n else:\n new_by_guid[guid][\"sigma_rules\"] = self._merge_rule_lists(\n new_by_guid[guid][\"sigma_rules\"], e.get(\"sigma_rules\", [])\n )\n new_by_guid[guid][\"splunk_rules\"] = self._merge_rule_lists(\n new_by_guid[guid][\"splunk_rules\"],\n e.get(\"escu_rules\") or e.get(\"splunk_rules\", []),\n )\n\n existing: list = []\n if os.path.isfile(path):\n try:\n with open(path, \"r\", encoding=\"utf-8\") as f:\n data = json.load(f)\n existing = data if isinstance(data, list) else []\n except (json.JSONDecodeError, OSError) as e:\n logging.warning(\"Could not load existing report, starting fresh: %s\", e)\n existing = []\n\n merged: list = []\n for e in existing:\n guid = (e.get(\"atomic_attack_guid\") or \"\").strip()\n if guid and guid in new_by_guid:\n new_entry = new_by_guid.pop(guid)\n merged_entry = dict(e)\n merged_entry[\"sigma_rules\"] = self._merge_rule_lists(\n e.get(\"sigma_rules\", []), new_entry.get(\"sigma_rules\", [])\n )\n merged_entry[\"splunk_rules\"] = self._merge_rule_lists(\n e.get(\"splunk_rules\", []), new_entry.get(\"splunk_rules\", [])\n )\n if \"escu_rules\" in merged_entry:\n del merged_entry[\"escu_rules\"]\n merged.append(merged_entry)\n else:\n merged.append(e)\n\n for e in new_by_guid.values():\n merged.append(e)\n\n # Log full details BEFORE filtering (log file is source of truth)\n for entry in merged:\n for rule_type, key in [(\"sigma\", \"sigma_rules\"), (\"escu\", \"escu_rules\"), (\"splunk\", \"splunk_rules\")]:\n rules = entry.get(key, [])\n if rules:\n self._log_rule_details(entry, rules, rule_type)\n\n # Build Ultra-Lite version (filter detected, strip to rule_name+rule_link)\n lite = self._build_ultra_lite(merged)\n\n # Save minified Ultra-Lite JSON\n with open(path, \"w\", encoding=\"utf-8\") as f:\n json.dump(lite, f, separators=(\",\", \":\"), ensure_ascii=False)\n logging.info(\"Report saved (smart merge, ultra-lite): %s\", path)\n\n # Write metadata.json in same directory (dist/) for dashboard \"Last Updated\"\n timestamp = datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")\n metadata = {\"last_updated\": timestamp}\n metadata_path = os.path.join(os.path.dirname(path), \"metadata.json\")\n with open(metadata_path, \"w\", encoding=\"utf-8\") as f:\n json.dump(metadata, f, indent=2)\n logging.info(\"Metadata saved: %s\", metadata_path)\n\n return path\n\n def print_coverage_stats(self, data: list) -> None:\n \"\"\"\n Calculate and print coverage statistics to the console using logging.\n Args:\n data: List of report entries (tech_id, sigma_rules, escu_rules, etc.)\n \"\"\"\n if not data:\n logging.warning(\"No report data to compute coverage stats.\")\n return\n\n total_tests = len(data)\n detected_tests = sum(\n 1 for t in data\n if any(r.get(\"detected\") for r in t.get(\"sigma_rules\", []))\n )\n coverage_pct = int(round((detected_tests / total_tests * 100))) if total_tests > 0 else 0\n\n logging.info(\"Total Atomic Tests: %s\", total_tests)\n logging.info(\"Tests Detected: %s\", detected_tests)\n logging.info(\"Coverage Rate: %s%%\", coverage_pct)\n\n\ndef generate_json_output(new_results, output_path):\n \"\"\"\n Reads an existing map file, intelligently updates or appends new results,\n and handles NOT_DETECTED statuses for existing entries.\n \"\"\"\n logging.info(\"Generating final JSON report with advanced 'update/append/audit' strategy...\")\n \n today_str = datetime.now().strftime(\"%Y-%m-%d\")\n existing_map = {}\n if os.path.exists(output_path):\n try:\n with open(output_path, 'r', encoding='utf-8') as f:\n existing_map = json.load(f)\n except json.JSONDecodeError:\n logging.warning(f\"Could not decode existing JSON file at {output_path}.\")\n \n # --- Process new results ---\n for res in new_results:\n technique = res['attack_technique'].upper()\n if technique not in existing_map:\n existing_map[technique] = []\n \n # Define the unique identifiers for a mapping\n rule_title = res['sigma_rule_title']\n test_name = res['atomic_test_name']\n \n # --- Find if an entry already exists ---\n entry_index_to_update = -1\n for i, existing_rule in enumerate(existing_map[technique]):\n is_match = (existing_rule.get('sigma_rule') == rule_title or existing_rule.get('splunk_rule') == rule_title) and \\\n existing_rule.get('atomic_test_name') == test_name\n if is_match:\n entry_index_to_update = i\n break\n\n # --- Update, Append or Audit Logic ---\n if res['result'] == 'DETECTED':\n new_entry = {\n \"atomic_test_name\": test_name,\n \"atomic_attack_guid\": res.get('atomic_test_guid', 'N/A'),\n \"platform\": res.get('platform', 'N/A'),\n \"sigma_rule\": rule_title if \"ESCU\" not in rule_title else \"\",\n \"splunk_rule\": rule_title if \"ESCU\" in rule_title else \"\",\n \"rule_link\": res.get('sigma_rule_link', '#'),\n \"last_validated_date\": today_str # Add validation date\n }\n if entry_index_to_update != -1:\n # UPDATE existing entry\n existing_map[technique][entry_index_to_update] = new_entry\n else:\n # APPEND new entry\n existing_map[technique].append(new_entry)\n \n elif res['result'] == 'NOT_DETECTED':\n if entry_index_to_update != -1:\n # AUDIT: Mark the existing entry as not detected in this run\n logging.info(f\"Auditing existing entry: '{rule_title}' for test '{test_name}' is now NOT DETECTED.\")\n existing_map[technique][entry_index_to_update]['last_test_status'] = 'NOT_DETECTED'\n existing_map[technique][entry_index_to_update]['last_tested_date'] = today_str\n\n # --- Write the combined map back to the file ---\n try:\n with open(output_path, 'w', encoding='utf-8') as f:\n json.dump(existing_map, f, indent=4)\n logging.info(f\"Successfully created final combined report: {output_path}\")\n except Exception as e:\n logging.error(f\"Failed to write JSON report. Error: {e}\")\n\ndef generate_csv_summary(results, output_path):\n logging.info(f\"Generating detailed CSV summary report to: {output_path}\")\n header = ['sigma_rule_title', 'attack_technique', 'atomic_test_name', 'result', 'details']\n try:\n with open(output_path, 'w', newline='', encoding='utf-8') as csvfile:\n writer = csv.DictWriter(csvfile, fieldnames=header)\n writer.writeheader()\n for res in results:\n csv_row = {'sigma_rule_title': res.get('sigma_rule_title', 'N/A'),'attack_technique': res.get('attack_technique', 'N/A'),'atomic_test_name': res.get('atomic_test_name', 'N/A'),'result': res.get('result', 'UNKNOWN'),'details': res.get('details', '')}\n writer.writerow(csv_row)\n logging.info(\"Successfully created CSV summary report.\")\n except Exception as e:\n logging.error(f\"Failed to write CSV summary report. Error: {e}\")" }, { "path": "automation/sigma_handler.py", "content": "import os\nimport glob\nimport re\nimport logging\nfrom automation import utils\n\nSIGMA_BASE_URL = \"https://github.com/SigmaHQ/sigma/blob/main/rules/\"\n\ndef parse_sigma_rule(file_path, rules_base_path):\n \"\"\"\n Reads a single Sigma rule file and extracts key information.\n \"\"\"\n rule_content = utils.load_yaml_file(file_path)\n if not rule_content:\n return None\n\n if not isinstance(rule_content, dict) or not all(k in rule_content for k in ['title', 'detection', 'logsource']):\n return None\n\n attack_tags = []\n if 'tags' in rule_content:\n for tag in rule_content['tags']:\n match = re.search(r'attack\\.t\\d+(\\.\\d+)?', tag, flags=re.IGNORECASE)\n if match:\n technique_id = match.group(0).replace('attack.', '')\n attack_tags.append(technique_id)\n \n if not attack_tags:\n return None\n\n relative_path = os.path.relpath(file_path, start=rules_base_path).replace('\\\\', '/')\n rule_link = SIGMA_BASE_URL + relative_path\n \n platform = rule_content.get('logsource', {}).get('product', 'N/A')\n\n return {\n 'filepath': file_path,\n 'title': rule_content.get('title'),\n 'status': rule_content.get('status', 'unknown'),\n 'platform': platform,\n 'link': rule_link,\n 'attack_tags': list(set(attack_tags))\n }\n\ndef load_and_parse_rules(path):\n \"\"\"\n Scans all Sigma rule files and returns a list of parsed rules.\n \"\"\"\n logging.info(f\"Scanning for Sigma rules in: {path}\")\n rule_files = glob.glob(os.path.join(path, '**', '*.yml'), recursive=True)\n logging.info(f\" -> Found {len(rule_files)} YAML detection files.\")\n \n loaded_rules = [parse_sigma_rule(fp, path) for fp in rule_files]\n loaded_rules = [r for r in loaded_rules if r is not None] # Filter out None values\n \n logging.info(f\" -> Successfully loaded and parsed {len(loaded_rules)} valid rules with ATT&CK tags.\")\n return loaded_rules" }, { "path": "automation/splunk_handler.py", "content": "import os\nimport time\nimport logging\nfrom datetime import datetime, timezone\nimport splunklib.client as client\nfrom automation import config\nfrom sigma.collection import SigmaCollection\nfrom sigma.backends.splunk import SplunkBackend\nfrom sigma.exceptions import SigmaError\n\ndef connect_to_splunk():\n \"\"\"\n Establishes and returns a connection object to the Splunk service.\n \"\"\"\n try:\n connect_kwargs = {\n \"host\": config.SPLUNK_HOST,\n \"port\": config.SPLUNK_PORT,\n \"scheme\": config.SPLUNK_SCHEME,\n \"verify\": config.SPLUNK_VERIFY_CERT,\n }\n\n token = config.SPLUNK_TOKEN\n if token:\n # For Splunk Cloud or token-based auth\n connect_kwargs[\"token\"] = f\"Splunk {token}\"\n if (config.SPLUNK_USERNAME or config.SPLUNK_PASSWORD):\n logging.debug(\"Both token and username/password configured; using token authentication and ignoring username/password.\")\n else:\n connect_kwargs[\"username\"] = config.SPLUNK_USERNAME\n connect_kwargs[\"password\"] = config.SPLUNK_PASSWORD\n\n service = client.connect(**connect_kwargs)\n if not (config.SPLUNK_SEARCH_INDEX or \"\").strip():\n logging.debug(\"SPLUNK_SEARCH_INDEX is empty. Searches will not be scoped to an index; consider setting it in .env for better performance/precision.\")\n logging.debug(\n \"Connected to Splunk at %s://%s:%s (verify_cert=%s)\",\n connect_kwargs['scheme'], config.SPLUNK_HOST, connect_kwargs['port'], str(connect_kwargs.get('verify'))\n )\n return service\n except Exception as e:\n logging.error(f\"Failed to connect to Splunk at {config.SPLUNK_HOST}:{config.SPLUNK_PORT}. Details: {e}\")\n return None\n\ndef convert_sigma_to_spl(sigma_filepath: str) -> str | None:\n \"\"\"\n Converts a single Sigma rule file to a Splunk SPL query using the pySigma library.\n\n Returns the first SPL string if conversion succeeds, otherwise None.\n Handles both list and string return types from pySigma backends for compatibility.\n \"\"\"\n logging.debug(\" -> Converting Sigma rule using pySigma: %s\", os.path.basename(sigma_filepath))\n try:\n with open(sigma_filepath, \"r\", encoding=\"utf-8\") as f:\n rule_text = f.read()\n \n rules = SigmaCollection.from_yaml(rule_text)\n backend = SplunkBackend()\n result = backend.convert(rules)\n\n # pySigma may return a list/tuple or a single string depending on version\n if isinstance(result, (list, tuple)):\n if result and isinstance(result[0], str) and result[0].strip():\n return result[0]\n elif isinstance(result, str):\n if result.strip():\n return result\n logging.warning(\" -> pySigma conversion resulted in an empty query.\")\n return None\n except (SigmaError, Exception) as e:\n logging.error(f\" -> pySigma conversion failed for {os.path.basename(sigma_filepath)}. Error: {e}\")\n return None\n\ndef _iso_to_epoch_seconds(iso_str: str) -> int:\n \"\"\"Converts ISO 8601 string to epoch seconds (UTC).\"\"\"\n try:\n # Handle potential trailing 'Z'\n if iso_str.endswith('Z'):\n iso_str = iso_str.replace('Z', '+00:00')\n dt = datetime.fromisoformat(iso_str)\n if dt.tzinfo is None:\n dt = dt.replace(tzinfo=timezone.utc)\n return int(dt.timestamp())\n except Exception:\n # Fallback: try parsing as integer epoch already\n try:\n return int(float(iso_str))\n except Exception:\n return int(time.time())\n\ndef _with_index_prefix(query: str) -> str:\n \"\"\"Attach index scoping for classic searches but do not break tstats/datamodel pipelines.\n\n Rules:\n - If query starts with a pipe '|' or startswith 'tstats', return as-is (SDK earliest/latest still applied).\n - If query already starts with 'search', inject index token right after 'search' when configured.\n - Otherwise, prepend 'search [index=...]' + query.\n \"\"\"\n q = (query or '').lstrip()\n idx = (config.SPLUNK_SEARCH_INDEX or '').strip()\n if not q:\n return 'search'\n # Don't alter tstats/datamodel or pre-piped queries\n if q.startswith('|') or q.lower().startswith('tstats'):\n return q\n # If already a search command\n if q.lower().startswith('search '):\n if idx:\n # insert index token after 'search'\n return 'search index=\"{}\" {}'.format(idx, q[len('search '):])\n return q\n # Default: prefix with search (and index if set)\n if idx:\n return f'search index=\"{idx}\" {q}'\n return f'search {q}'\n\ndef check_for_detection(service, search_query: str, earliest_time: str, latest_time: str) -> bool:\n \"\"\"\n Searches Splunk for events matching a specific SPL query within a specific time window.\n \"\"\"\n if not search_query:\n logging.warning(\" -> SPL query is empty. Skipping detection check.\")\n return False\n \n padded_earliest = _iso_to_epoch_seconds(earliest_time) - config.SPLUNK_TIME_PAD_SECONDS\n padded_latest = _iso_to_epoch_seconds(latest_time) + config.SPLUNK_TIME_PAD_SECONDS\n\n # Build final query with optional index scoping\n full_query = _with_index_prefix(search_query)\n logging.debug(\" -> Querying Splunk: %s earliest=%s latest=%s\", full_query, padded_earliest, padded_latest)\n\n try:\n kwargs = {\n \"exec_mode\": \"blocking\",\n \"earliest_time\": str(padded_earliest),\n \"latest_time\": str(padded_latest),\n }\n job = service.jobs.create(full_query, **kwargs)\n # Ensure job content is populated\n try:\n job.refresh()\n except Exception:\n pass\n result_count = int((job.content or {}).get(\"resultCount\", 0))\n logging.debug(\n \" -> Found %s result(s) in Splunk. sid=%s\",\n result_count, getattr(job, 'sid', None)\n )\n return result_count > 0\n except Exception as e:\n logging.error(\n \" -> An error occurred while searching Splunk. query='%s' earliest=%s latest=%s error=%s\",\n full_query, padded_earliest, padded_latest, e\n )\n return False\n\ndef sanity_check_ingestion(service, host: str, earliest_time: str, latest_time: str) -> bool:\n \"\"\"Quick check to see if any events from the VM host are reaching Splunk in the time window.\"\"\"\n if not host:\n return True # Can't check; don't block\n padded_earliest = _iso_to_epoch_seconds(earliest_time) - config.SPLUNK_TIME_PAD_SECONDS\n padded_latest = _iso_to_epoch_seconds(latest_time) + config.SPLUNK_TIME_PAD_SECONDS\n base = f'host=\"{host}\"'\n full_query = _with_index_prefix(base)\n logging.debug(\"Running ingestion sanity check: %s earliest=%s latest=%s\", full_query, padded_earliest, padded_latest)\n try:\n job = service.jobs.create(full_query, exec_mode=\"blocking\", earliest_time=str(padded_earliest), latest_time=str(padded_latest))\n try:\n job.refresh()\n except Exception:\n pass\n cnt = int((job.content or {}).get(\"resultCount\", 0))\n logging.debug(\"Ingestion sanity check events from host='%s': %s (sid=%s)\", host, cnt, getattr(job, 'sid', None))\n return cnt > 0\n except Exception as e:\n logging.warning(\n \"Sanity check failed for query='%s' earliest=%s latest=%s: %s\",\n full_query, padded_earliest, padded_latest, e\n )\n return True # don't block verification on check failure" }, { "path": "automation/utils.py", "content": "import yaml\nimport logging\n\ndef load_yaml_file(filepath):\n \"\"\"\n Safely loads a YAML file and returns its content.\n Returns None if the file cannot be read or parsed.\n \"\"\"\n try:\n with open(filepath, 'r', encoding='utf-8') as f:\n return yaml.safe_load(f)\n except Exception as e:\n logging.warning(f\"Could not read or parse YAML file: {filepath}. Error: {e}\")\n return None" }, { "path": "automation/vm_handler.py", "content": "\"\"\"\nVM lifecycle management via Proxmox over SSH.\nUses paramiko to connect to Proxmox host and run qm commands.\n\"\"\"\nimport logging\nimport time\nimport re\nimport paramiko\nfrom automation import config\n\n\ndef _get_proxmox_ssh_client():\n \"\"\"\n Create and connect SSH client to Proxmox host.\n Returns client on success, None on failure.\n \"\"\"\n host = config.PROXMOX_HOST\n user = config.PROXMOX_USER\n password = config.PROXMOX_PASSWORD\n key_path = config.PROXMOX_KEY_PATH\n port = config.PROXMOX_PORT\n\n if not host or not user:\n logging.error(\"PROXMOX_HOST and PROXMOX_USER must be set in .env\")\n return None\n\n try:\n client = paramiko.SSHClient()\n client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n if key_path:\n client.connect(\n hostname=host,\n port=port,\n username=user,\n key_filename=key_path,\n timeout=30,\n )\n else:\n if not password:\n logging.error(\"PROXMOX_PASSWORD or PROXMOX_KEY_PATH must be set in .env\")\n return None\n client.connect(\n hostname=host,\n port=port,\n username=user,\n password=password,\n timeout=30,\n )\n return client\n except paramiko.AuthenticationException as e:\n logging.error(f\"Proxmox SSH authentication failed: {e}\")\n return None\n except paramiko.SSHException as e:\n logging.error(f\"Proxmox SSH connection error: {e}\")\n return None\n except Exception as e:\n logging.error(f\"Unexpected error connecting to Proxmox: {e}\")\n return None\n\n\ndef _run_proxmox_command(args, check=True):\n \"\"\"\n Run a qm command on Proxmox host via SSH.\n args: list of command parts, e.g. [\"rollback\", \"100\", \"Lab-Ready-v1\"]\n Returns (success: bool, stdout: str, stderr: str)\n \"\"\"\n vm_id = config.TARGET_VM_ID\n if not vm_id:\n logging.error(\"TARGET_VM_ID must be set in .env\")\n return (False, \"\", \"TARGET_VM_ID not configured\")\n\n full_args = [\"qm\"] + args\n cmd = \" \".join(full_args)\n logging.debug(\"Executing Proxmox command: %s\", cmd)\n\n client = _get_proxmox_ssh_client()\n if not client:\n return (False, \"\", \"Could not connect to Proxmox\")\n\n try:\n stdin, stdout, stderr = client.exec_command(cmd, timeout=120)\n exit_status = stdout.channel.recv_exit_status()\n out = stdout.read().decode(\"utf-8\", errors=\"ignore\")\n err = stderr.read().decode(\"utf-8\", errors=\"ignore\")\n client.close()\n\n if check and exit_status != 0:\n logging.error(f\"Proxmox command failed (exit {exit_status}). stderr: {err}\")\n return (False, out, err)\n return (exit_status == 0, out, err)\n except Exception as e:\n try:\n client.close()\n except Exception:\n pass\n logging.error(f\"Error running Proxmox command: {e}\")\n return (False, \"\", str(e))\n\n\ndef get_vm_state():\n \"\"\"Gets the current state of the VM on Proxmox (running/stopped).\"\"\"\n success, stdout, _ = _run_proxmox_command([\"status\", config.TARGET_VM_ID], check=False)\n if not success or not stdout:\n return \"unknown\"\n # qm status returns e.g. \"status: running\" or \"status: stopped\"\n match = re.search(r\"status:\\s*(\\w+)\", stdout, re.IGNORECASE)\n if match:\n return match.group(1).lower()\n return \"unknown\"\n\n\ndef ensure_vm_is_off(timeout_seconds=60):\n \"\"\"\n Ensures the VM is in a stopped state.\n Returns True if the machine is or becomes stopped, False otherwise.\n \"\"\"\n logging.debug(\"Ensuring VM is powered off...\")\n start_time = time.time()\n\n while time.time() - start_time < timeout_seconds:\n state = get_vm_state()\n logging.debug(\"Current VM state: %s\", state)\n\n if state == \"stopped\":\n logging.debug(\"VM is already stopped.\")\n return True\n elif state == \"running\":\n logging.debug(\"VM is running. Sending stop command...\")\n success, _, err = _run_proxmox_command([\"stop\", config.TARGET_VM_ID])\n if not success:\n logging.warning(f\"Stop command may have failed: {err}\")\n else:\n logging.warning(f\"VM is in state '{state}'. Waiting...\")\n\n time.sleep(5)\n\n logging.error(\"Failed to get VM into stopped state within the timeout.\")\n return False\n\n\ndef revert_to_snapshot():\n \"\"\"Reverts the VM to the specified clean snapshot (qm rollback).\"\"\"\n snapshot = config.TARGET_SNAPSHOT\n vm_id = config.TARGET_VM_ID\n if not snapshot or not vm_id:\n logging.error(\"TARGET_SNAPSHOT and TARGET_VM_ID must be set in .env\")\n return False\n\n logging.debug(\"Reverting VM %s to snapshot '%s'...\", vm_id, snapshot)\n\n if not ensure_vm_is_off():\n logging.error(\"Cannot restore snapshot because VM could not be stopped.\")\n return False\n\n success, _, err = _run_proxmox_command([\"rollback\", vm_id, snapshot])\n if not success:\n logging.error(f\"Snapshot rollback failed: {err}\")\n return False\n\n logging.debug(\"Verifying state after snapshot rollback...\")\n return ensure_vm_is_off()\n\n\ndef start_vm():\n \"\"\"Starts the VM on Proxmox.\"\"\"\n vm_id = config.TARGET_VM_ID\n if not vm_id:\n logging.error(\"TARGET_VM_ID must be set in .env\")\n return False\n\n logging.debug(\"Starting VM %s...\", vm_id)\n success, _, err = _run_proxmox_command([\"start\", vm_id])\n if not success:\n logging.error(f\"Failed to start VM: {err}\")\n return success\n\n\ndef stop_vm():\n \"\"\"Stops the VM after test case.\"\"\"\n logging.debug(\"Stopping VM after test case...\")\n return ensure_vm_is_off()\n\n\ndef is_vm_ready(timeout_seconds=300):\n \"\"\"\n Checks if the VM (Windows guest) is booted and SSH port is responding.\n Uses VM_HOST, VM_USERNAME, VM_PASSWORD from config (target guest, not Proxmox).\n \"\"\"\n logging.debug(\"Waiting for VM to become ready for SSH connections...\")\n\n start_time = time.time()\n while time.time() - start_time < timeout_seconds:\n try:\n client = paramiko.SSHClient()\n client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n client.connect(\n hostname=config.VM_HOST,\n port=22,\n username=config.VM_USERNAME,\n password=config.VM_PASSWORD,\n timeout=10,\n )\n client.close()\n logging.debug(\"VM is ready and responding to SSH.\")\n return True\n except Exception:\n logging.debug(\"VM not ready yet, retrying in 15 seconds...\")\n time.sleep(15)\n\n logging.error(f\"VM did not become ready within the {timeout_seconds} second timeout.\")\n return False" }, { "path": "dist/_headers", "content": "/*\n Access-Control-Allow-Origin: https://mitre-attack.github.io\n Access-Control-Allow-Methods: GET, OPTIONS\n Access-Control-Allow-Headers: *\n" }, { "path": "dist/assets/images/favicon/site.webmanifest", "content": "{\n \"name\": \"AttackRuleMap\",\n \"short_name\": \"ARM\",\n \"icons\": [\n {\n \"src\": \"/assets/images/favicon/web-app-manifest-192x192.png\",\n \"sizes\": \"192x192\",\n \"type\": \"image/png\",\n \"purpose\": \"maskable\"\n },\n {\n \"src\": \"/assets/images/favicon/web-app-manifest-512x512.png\",\n \"sizes\": \"512x512\",\n \"type\": \"image/png\",\n \"purpose\": \"maskable\"\n }\n ],\n \"theme_color\": \"#ffffff\",\n \"background_color\": \"#ffffff\",\n \"display\": \"standalone\"\n}" }, { "path": "dist/attack_rule_map.json", "content": "[{\"tech_id\":\"T1046\",\"atomic_attack_guid\":\"68e907da-2539-48f6-9fc9-257a78c05540\",\"atomic_attack_name\":\"Port Scan\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Network Service Scanning\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"9d04efee-eff5-4240-b8d2-07792b873608\",\"atomic_attack_name\":\"Packet Capture macOS using tcpdump or tshark\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Network Sniffing - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1037.005\",\"atomic_attack_guid\":\"10cf5bec-49dd-4ebf-8077-8f47e420096f\",\"atomic_attack_name\":\"Add launch script to launch agent\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Scripting Interpreter AppleScript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml\"},{\"rule_name\":\"Launch Agent/Daemon Execution Via Launchctl\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1037.005\",\"atomic_attack_guid\":\"fc369906-90c7-4a15-86fd-d37da624dde6\",\"atomic_attack_name\":\"Add launch script to launch daemon\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Scripting Interpreter AppleScript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml\"},{\"rule_name\":\"Launch Agent/Daemon Execution Via Launchctl\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1033\",\"atomic_attack_guid\":\"2a9b677d-a230-44f4-ad86-782df1ef108c\",\"atomic_attack_name\":\"System Owner/User Discovery\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Connections Discovery - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1030\",\"atomic_attack_guid\":\"ab936c51-10f4-46ce-9144-e02137b2016a\",\"atomic_attack_name\":\"Data Transfer Size Limits\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Split A File Into Pieces\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.001\",\"atomic_attack_guid\":\"e22a9e89-69c7-410f-a473-e6c212cd2292\",\"atomic_attack_name\":\"Pad Binary to Change Hash using truncate command - Linux/macOS\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Binary Padding - MacOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.001\",\"atomic_attack_guid\":\"ffe2346c-abd5-4b45-a713-bf5f1ebd573a\",\"atomic_attack_name\":\"Pad Binary to Change Hash - Linux/macOS dd\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Binary Padding - MacOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"f45df6be-2e1e-4136-a384-8f18ab3826fb\",\"atomic_attack_name\":\"Decode base64 Data into Script\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Decode Base64 Encoded Text -MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.005\",\"atomic_attack_guid\":\"8a930abe-841c-4d4f-a877-72e9fe90b9ea\",\"atomic_attack_name\":\"Enable Apple Remote Desktop Agent\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Information Discovery Using sw_vers\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml\"},{\"rule_name\":\"Local System Accounts Discovery - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_local_account.yml\"},{\"rule_name\":\"Launch Agent/Daemon Execution Via Launchctl\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml\"},{\"rule_name\":\"Creation Of A Local User Account\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_create_account.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"96db2632-8417-4dbb-b8bb-a8b92ba391de\",\"atomic_attack_name\":\"Remote System Discovery - sweep\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"Macos Remote System Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"acb6b1ff-e2ad-4d64-806c-6c35fe73b951\",\"atomic_attack_name\":\"Remote System Discovery - arp nix\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - macOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml\"},{\"rule_name\":\"Macos Remote System Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"ff1d8c25-2aa4-4f18-a425-fede4a41ee88\",\"atomic_attack_name\":\"List macOS Firewall Rules\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - macOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"c141bbdb-7fca-4254-9fd6-f47e79447e17\",\"atomic_attack_name\":\"System Network Configuration Discovery\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - macOS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml\"},{\"rule_name\":\"Macos Remote System Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml\"},{\"rule_name\":\"System Network Connections Discovery - MacOs\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1005\",\"atomic_attack_guid\":\"cfb6d400-a269-4c06-a347-6d88d584d5f7\",\"atomic_attack_name\":\"Copy Apple Notes database files using AppleScript\",\"platform\":\"macOS\",\"sigma_rules\":[{\"rule_name\":\"MacOS Scripting Interpreter AppleScript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003\",\"atomic_attack_guid\":\"42510244-5019-48fa-a0e5-66c3b76e6049\",\"atomic_attack_name\":\"Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Microsoft IIS Service Account Password Dumped\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003\",\"atomic_attack_guid\":\"84113186-ed3c-4d0d-8a3c-8980c86c1f4a\",\"atomic_attack_name\":\"Dump Credential Manager using keymgr.dll and rundll32.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Key Manager Access\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003\",\"atomic_attack_guid\":\"0b207037-813c-4444-ac3f-b597cf280a67\",\"atomic_attack_name\":\"Send NTLM Hash with RPC Test Connection\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Capture Credentials with Rpcping.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml\"},{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"0be2230c-9ab3-4ac2-8826-3199b9a0ebf8\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using ProcDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed ProcDump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Potential LSASS Process Dump Via Procdump\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"},{\"rule_name\":\"Procdump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"2536dee2-12fb-459a-8c37-971844fa73be\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using comsvcs.dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Memory Dump Via Comsvcs.DLL\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml\"},{\"rule_name\":\"PowerShell Get-Process LSASS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"},{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"dddd4aca-bbed-46f0-984d-e4c5971c51ea\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using NanoDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"453acf13-1dbd-47d7-b28a-172ce9228023\",\"atomic_attack_name\":\"Offline Credential Theft With Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Operator Bloopers Cobalt Strike Commands\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"7cede33f-0acd-44ef-9774-15511300b24b\",\"atomic_attack_name\":\"Create Mini Dump of LSASS.exe using ProcDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"},{\"rule_name\":\"Procdump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"},{\"rule_name\":\"Potential LSASS Process Dump Via Procdump\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"86fc3f40-237f-4701-b155-81c01c48d697\",\"atomic_attack_name\":\"Dump LSASS.exe using imported Microsoft DLLs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - XORDump Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml\"},{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"eb5adf16-b601-4926-bca7-dad22adffb37\",\"atomic_attack_name\":\"Dump LSASS.exe Memory through Silent Process Exit\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"2364e33d-ceab-4641-8468-bfb1d7cc2723\",\"atomic_attack_name\":\"Dump Active Directory Database with NTDSUtil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Patterns NTDS.DIT Exfil\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"542bb97e-da53-436b-8e43-e0a7d31a6c24\",\"atomic_attack_name\":\"Create Volume Shadow Copy with Powershell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"},{\"rule_name\":\"Create Volume Shadow Copy with Powershell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.005\",\"atomic_attack_guid\":\"56506854-89d6-46a3-9804-b7fde90791f9\",\"atomic_attack_name\":\"Cached Credential Dump via Cmdkey\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.006\",\"atomic_attack_guid\":\"a0bced08-3fc5-4d8b-93b7-e8344739376e\",\"atomic_attack_name\":\"Run DSInternals Get-ADReplAccount\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DSInternals Suspicious PowerShell Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml\"},{\"rule_name\":\"Suspicious Get-ADReplAccount\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1007\",\"atomic_attack_guid\":\"89676ba1-b1f8-47ee-b940-2e1a113ebc71\",\"atomic_attack_name\":\"System Service Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1007\",\"atomic_attack_guid\":\"5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3\",\"atomic_attack_name\":\"System Service Discovery - net.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"970ab6a1-0157-4f3f-9a73-ec4166754b23\",\"atomic_attack_name\":\"System Network Configuration Discovery on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Network Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"dafaf052-5508-402d-bf77-51e0700c02e2\",\"atomic_attack_name\":\"System Network Configuration Discovery (TrickBot Style)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Network Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml\"},{\"rule_name\":\"Potential Recon Activity Via Nltest.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml\"},{\"rule_name\":\"Nltest.EXE Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016.002\",\"atomic_attack_guid\":\"53cf1903-0fa7-4177-ab14-f358ae809eec\",\"atomic_attack_name\":\"Enumerate Stored Wi-Fi Profiles And Passwords via netsh\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Harvesting Of Wifi Credentials Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"6db1f57f-d1d5-4223-8a66-55c9c65a9592\",\"atomic_attack_name\":\"Remote System Discovery - ping sweep\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Scan Loop Network\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"64ede6ac-b57a-41c2-a7d1-32c6cd35397d\",\"atomic_attack_name\":\"Enumerate Active Directory Computers with ADSISearcher\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote System Discovery with Adsisearcher\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_system_discovery_with_adsisearcher.yml\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"b8147c9a-84db-4ec1-8eee-4e0da75f0de5\",\"atomic_attack_name\":\"Enumerate Remote Hosts with Netscan\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"atomic_attack_guid\":\"74ace21e-a31c-4f7d-b540-53e4eb6d1f73\",\"atomic_attack_name\":\"Changing RDP Port to Non Standard Port via Command_Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Firewall Rule Added Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml\"},{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"},{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"atomic_attack_guid\":\"01d1c6c0-faf0-408e-b368-752a02285cb2\",\"atomic_attack_name\":\"Disable NLA for RDP via Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"},{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"e2d85e66-cb66-4ed7-93b1-833fc56c9319\",\"atomic_attack_name\":\"DLP Evasion via Sensitive Data in VBA Macro over HTTP\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"fad04df1-5229-4185-b016-fb6010cd87ac\",\"atomic_attack_name\":\"Execution from Compressed JScript File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1033\",\"atomic_attack_guid\":\"4c4959bf-addf-4b4a-be86-8d09cc1857aa\",\"atomic_attack_name\":\"System Owner/User Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Recon Command Output Piped To Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml\"},{\"rule_name\":\"Whoami.EXE Execution With Output Option\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml\"},{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"5ba5a3d1-cf3c-4499-968a-a93155d1f717\",\"atomic_attack_name\":\"Masquerading as Windows LSASS process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Binary Rename\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"3a2a578b-0a01-46e4-92e3-62e2859b42f0\",\"atomic_attack_name\":\"Masquerading - cscript.exe running as notepad.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Rename Of Highly Relevant Binaries\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa\",\"atomic_attack_name\":\"Masquerading - powershell.exe running as taskhostw.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Rename Of Highly Relevant Binaries\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"83810c46-f45e-4485-9ab6-8ed0e9e6ed7f\",\"atomic_attack_name\":\"Malicious process Masquerading as LSM.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Binary Rename\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"b721c6ef-472c-4263-a0d9-37f1f4ecff66\",\"atomic_attack_name\":\"Creating W32Time similar named service using sc\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.007\",\"atomic_attack_guid\":\"c7fa0c3b-b57f-4cba-9118-863bf4e653fc\",\"atomic_attack_name\":\"File Extension Masquerading\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Suspicious Double Extension Files\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1037.001\",\"atomic_attack_guid\":\"d6042746-07d4-4c92-9ad8-e644c114a231\",\"atomic_attack_name\":\"Logon Scripts\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Via Logon Scripts - CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Potential Persistence Via Logon Scripts - Registry\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1039\",\"atomic_attack_guid\":\"6ed67921-1774-44ba-bac6-adb51ed60660\",\"atomic_attack_name\":\"Copy a sensitive File over Administrative share with copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1039\",\"atomic_attack_guid\":\"7762e120-5879-44ff-97f8-008b401b9a98\",\"atomic_attack_name\":\"Copy a sensitive File over Administrative share with Powershell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"b5656f67-d67f-4de8-8e62-b5581630f528\",\"atomic_attack_name\":\"Windows Internal Packet Capture\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Network Trace Capture Started Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"855fb8b4-b8ab-4785-ae77-09f5df7bff55\",\"atomic_attack_name\":\"Windows Internal pktmon set filter\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PktMon.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"5750aa16-0e59-4410-8b9a-8a47ca2788e2\",\"atomic_attack_name\":\"WMI Reconnaissance Processes\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"718aebaa-d0e0-471a-8241-c5afa69c7414\",\"atomic_attack_name\":\"WMI Reconnaissance Software\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Hotfix Updates Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1053.002\",\"atomic_attack_guid\":\"4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8\",\"atomic_attack_name\":\"At.exe Scheduled task\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Interactive AT Job\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"42f53695-ad4a-4546-abb6-7d837f644a71\",\"atomic_attack_name\":\"Scheduled task Local\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Schtasks Schedule Types\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"e895677d-4f06-49ab-91b6-ae3742d0a2ba\",\"atomic_attack_name\":\"Scheduled Task Executing Base64 Encoded Commands From Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scheduled Task Executing Encoded Payload from Registry\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Command Patterns In Scheduled Task Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1055\",\"atomic_attack_guid\":\"3203ad24-168e-4bec-be36-f79b13ef8a83\",\"atomic_attack_name\":\"Remote Process Injection in LSASS via mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1055\",\"atomic_attack_guid\":\"2871ed59-3837-4a52-9107-99500ebc87cb\",\"atomic_attack_name\":\"Process Injection with Go using CreateThread WinAPI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential WinAPI Calls Via CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1055\",\"atomic_attack_guid\":\"2a3c7035-d14f-467a-af94-933e49fe6786\",\"atomic_attack_name\":\"Process Injection with Go using CreateThread WinAPI (Natively)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential WinAPI Calls Via CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1056.001\",\"atomic_attack_guid\":\"d9b633ca-8efb-45e6-b838-70f595c6ae26\",\"atomic_attack_name\":\"Input Capture\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"Powershell Keylogging\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1056.004\",\"atomic_attack_guid\":\"de1934ea-1fbf-425b-8795-65fb27dd7e33\",\"atomic_attack_name\":\"Hook PowerShell TLS Encrypt/Decrypt Messages\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Mavinject Inject DLL Into Running Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1057\",\"atomic_attack_guid\":\"c5806a4f-62b8-4900-980b-c7ec004e9908\",\"atomic_attack_name\":\"Process Discovery - tasklist\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1057\",\"atomic_attack_guid\":\"640cbf6d-659b-498b-ba53-f6dd1a1cc02c\",\"atomic_attack_name\":\"Process Discovery - wmic process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1057\",\"atomic_attack_guid\":\"11ba69ee-902e-4a0f-b3b6-418aed7d7ddb\",\"atomic_attack_name\":\"Discover Specific Process - tasklist\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LSASS Process Reconnaissance Via Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml\"},{\"rule_name\":\"Recon Command Output Piped To Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml\"},{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"af1800cf-9f9d-4fd1-a709-14b1e6de020d\",\"atomic_attack_name\":\"Mimikatz - Cradlecraft PsSendKeys\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Keywords\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml\"},{\"rule_name\":\"Malicious PowerShell Scripts - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Potential PowerShell Command Line Obfuscation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Windows PowerShell Script Block With Malicious String\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml\"},{\"rule_name\":\"Detect Mimikatz With PowerShell Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"a538de64-1c74-46ed-aa60-b995ed302598\",\"atomic_attack_name\":\"PowerShell Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"49eb9404-5e0f-4031-a179-b40f7be385e3\",\"atomic_attack_name\":\"PowerShell Invoke Known Malicious Cmdlets\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Keywords\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.003\",\"atomic_attack_guid\":\"127b4afe-2346-4192-815c-69042bec570e\",\"atomic_attack_name\":\"Writes text to a file and displays it.\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.003\",\"atomic_attack_guid\":\"df81db1b-066c-4802-9bc8-b6d030c3ba8e\",\"atomic_attack_name\":\"Command Prompt read contents from CMD file and execute\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.003\",\"atomic_attack_guid\":\"00682c9f-7df4-4df8-950b-6dcaaa3ad9af\",\"atomic_attack_name\":\"Command prompt writing script to file then executes it\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Whoami.EXE Execution With Output Option\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.005\",\"atomic_attack_guid\":\"1620de42-160a-4fe5-bbaf-d3fef0181ce9\",\"atomic_attack_name\":\"Visual Basic script execution to gather local computer information\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Registry Tampering by Potentially Suspicious Processes\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.007\",\"atomic_attack_guid\":\"01d75adf-ca1b-4dd1-ac96-7c9550ad1035\",\"atomic_attack_name\":\"JScript execution to gather local computer information via cscript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.007\",\"atomic_attack_guid\":\"0709945e-4fec-4c49-9faf-c3c292a74484\",\"atomic_attack_name\":\"JScript execution to gather local computer information via wscript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"9f4e344b-8434-41b3-85b1-d38f29d148d0\",\"atomic_attack_name\":\"Enumerate Active Directory Groups with ADSISearcher\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070\",\"atomic_attack_guid\":\"b4115c7a-0e92-47f0-a61e-17e7218b2435\",\"atomic_attack_name\":\"Indicator Removal using FSUtil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Suspicious Invocation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.001\",\"atomic_attack_guid\":\"e6abb60e-26b8-41da-8aae-0c35174b0967\",\"atomic_attack_name\":\"Clear Logs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Eventlog Clearing or Configuration Change Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"861ea0b4-708a-4d17-848d-186c9c7f17e3\",\"atomic_attack_name\":\"Delete a single file - Windows cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"36f96049-0ad7-4a5f-8418-460acaeb92fb\",\"atomic_attack_name\":\"Delete Prefetch File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"},{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"atomic_attack_guid\":\"14c38f32-6509-46d8-ab43-d53e32d2b131\",\"atomic_attack_name\":\"Add Network Share\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"atomic_attack_guid\":\"09210ad5-1ef2-4077-9ad3-7351e13e9222\",\"atomic_attack_name\":\"Remove Network Share\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"},{\"rule_name\":\"Unmount Share Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1071.001\",\"atomic_attack_guid\":\"dc3488b0-08c7-4fea-b585-905c83b48180\",\"atomic_attack_name\":\"Malicious User Agents - CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1074.001\",\"atomic_attack_guid\":\"107706a5-6f9f-451a-adae-bab8c667829f\",\"atomic_attack_name\":\"Stage data from Discovery.bat\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1074.001\",\"atomic_attack_guid\":\"a57fbe4b-3440-452a-88a7-943531ac872a\",\"atomic_attack_name\":\"Zip a Folder with PowerShell for Staging in Temp\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml\"},{\"rule_name\":\"Zip A Folder With PowerShell For Staging In Temp - PowerShell Script\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1078.001\",\"atomic_attack_guid\":\"99747561-ed8d-47f2-9c91-1e5fde1ed6e0\",\"atomic_attack_name\":\"Enable Guest account with RDP capability and admin privileges\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"User Added to Local Administrators Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml\"},{\"rule_name\":\"User Added to Remote Desktop Users Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml\"},{\"rule_name\":\"Weak or Abused Passwords In CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1078.003\",\"atomic_attack_guid\":\"a524ce99-86de-4db6-b4f9-e08f35a47a15\",\"atomic_attack_name\":\"Create local account with admin privileges\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"User Added to Local Administrators Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"66703791-c902-4560-8770-42b8a91f7667\",\"atomic_attack_name\":\"System Information Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Configuration And Service Reconnaissance Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml\"},{\"rule_name\":\"Suspicious Execution of Systeminfo\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"224b4daf-db44-404e-b6b2-f4d1f0126ef8\",\"atomic_attack_name\":\"Windows MachineGUID Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Query of MachineGUID\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"69bd4abe-8759-49a6-8d21-0f15822d6370\",\"atomic_attack_name\":\"Griffon Recon\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"4060ee98-01ae-4c8e-8aad-af8300519cc7\",\"atomic_attack_name\":\"System Information Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml\"},{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Potential Reconnaissance Activity Via GatherNetworkInfo.VBS\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml\"},{\"rule_name\":\"Suspicious Execution of Systeminfo\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"atomic_attack_guid\":\"0e36303b-6762-4500-b003-127743b80ba6\",\"atomic_attack_name\":\"File and Directory Discovery (cmd.exe)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"95018438-454a-468c-a0fa-59c800149b59\",\"atomic_attack_name\":\"Automated AD Recon (ADRecon)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"736b4f53-f400-4c22-855d-1a6b5a551600\",\"atomic_attack_name\":\"Adfind -Listing password policy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"b95fd967-4e62-4109-b48d-265edfd28c3a\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Admins\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"5e2938fb-f919-47b6-8b29-2f6a1f718e99\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Exchange AD Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"02e8be5a-3065-4e54-8cc8-a14d138834d3\",\"atomic_attack_name\":\"Enumerate Active Directory Users with ADSISearcher\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"7ab0205a-34e4-4a44-9b04-e1541d1a57be\",\"atomic_attack_name\":\"Enumerate Linked Policies In ADSISearcher Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1090.001\",\"atomic_attack_guid\":\"b8223ea9-4be2-44a6-b50a-9657a3d4e72a\",\"atomic_attack_name\":\"portproxy reg key\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Port Forwarding Rule Added Via Netsh.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"2ca61766-b456-4fcf-a35a-1233685e1cad\",\"atomic_attack_name\":\"OSTAP Worming Activity\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"fa5a2759-41d7-4e13-a19c-e8f28a53566f\",\"atomic_attack_name\":\"svchost writing a file to a UNC path\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Copy From Or To Admin Share Or Sysvol Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"815bef8b-bf91-4b67-be4c-abe4c2a94ccc\",\"atomic_attack_name\":\"Download a File with Windows Defender MpCmdRun.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"File Download Via Windows Defender MpCmpRun.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"5f507e45-8411-4f99-84e7-e38530c45d01\",\"atomic_attack_name\":\"File download with finger.exe on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Finger.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"1a02df58-09af-4064-a765-0babe1a0d1e2\",\"atomic_attack_name\":\"Download a file with IMEWDBLD.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Arbitrary File Download Via IMEWDBLD.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"49845fc1-7961-4590-a0f0-3dbcf065ae7e\",\"atomic_attack_name\":\"Printer Migration Command-Line Tool UNC share folder into a zip file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"PrintBrm ZIP Creation of Extraction\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"54782d65-12f0-47a5-b4c1-b70ee23de6df\",\"atomic_attack_name\":\"Lolbas replace.exe use to copy file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Replace.exe Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"ed0335ac-0354-400c-8148-f6151d20035a\",\"atomic_attack_name\":\"Lolbas replace.exe use to copy UNC file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Replace.exe Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"6fdaae87-c05b-42f8-842e-991a74e8376b\",\"atomic_attack_name\":\"certreq download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Certreq Command to Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"Suspicious CertReq Command to Download\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certreq_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"97116a3f-efac-4b26-8336-b9cb18c45188\",\"atomic_attack_name\":\"Download a file using wscript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"c01cad7f-7a4c-49df-985e-b190dcf6a279\",\"atomic_attack_name\":\"iwr or Invoke Web-Request download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1110.001\",\"atomic_attack_guid\":\"59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4\",\"atomic_attack_name\":\"Password Brute User using Kerbrute Tool\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"282f929a-6bc5-42b8-bd93-960c3ba35afe\",\"atomic_attack_name\":\"Modify Registry of Local Machine - cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Direct Autorun Keys Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml\"},{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c0413fb5-33e2-40b7-9b6f-60b29f4a7a18\",\"atomic_attack_name\":\"Modify registry to store logon credentials\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"95b25212-91a7-42ff-9613-124aca6845a8\",\"atomic_attack_name\":\"Windows Powershell Logging Disabled\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5\",\"atomic_attack_name\":\"Windows Add Registry Value to Load Service in Safe Mode without Network\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Add SafeBoot Keys Via Reg Utility\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c173c948-65e5-499c-afbe-433722ed5bd4\",\"atomic_attack_name\":\"Windows Add Registry Value to Load Service in Safe Mode with Network\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Add SafeBoot Keys Via Reg Utility\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c30dada3-7777-4590-b970-dc890b8cf113\",\"atomic_attack_name\":\"Suppress Win Defender Notifications\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"65704cd4-6e36-4b90-b6c1-dc29a82c8e56\",\"atomic_attack_name\":\"NetWire RAT Registry Key Creation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c375558d-7c25-45e9-bd64-7b23a97c1db0\",\"atomic_attack_name\":\"Ursnif Malware Registry Key Creation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"d2c9e41e-cd86-473d-980d-b6403562e3e1\",\"atomic_attack_name\":\"Disable Windows Error Reporting Settings\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"35727d9e-7a7f-4d0c-a259-dc3906d6e8b9\",\"atomic_attack_name\":\"Mimic Ransomware - Allow Multiple RDP Sessions per User\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"e3ad8e83-3089-49ff-817f-e52f8c948090\",\"atomic_attack_name\":\"Enabling Remote Desktop Protocol via Remote Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"3b625eaa-c10d-4635-af96-3eae7d2a2f3c\",\"atomic_attack_name\":\"Tamper Win Defender Protection\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c88ef166-50fa-40d5-a80c-e2b87d4180f7\",\"atomic_attack_name\":\"Modify Internet Zone Protocol Defaults in Current User Registry - cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"ffeddced-bb9f-49c6-97f0-3d07a509bf94\",\"atomic_attack_name\":\"Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Reg Add Suspicious Paths\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml\"},{\"rule_name\":\"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"16bdbe52-371c-4ccf-b708-79fba61f1db4\",\"atomic_attack_name\":\"Enable RDP via Registry (fDenyTSConnections)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"5f8e36de-37ca-455e-b054-a2584f043c06\",\"atomic_attack_name\":\"Disable Windows Remote Desktop Protocol\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"26fc7375-a551-4336-90d7-3f2817564304\",\"atomic_attack_name\":\"Requires the BitLocker PIN for Pre-boot authentication\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"bacb3e73-8161-43a9-8204-a69fe0e4b482\",\"atomic_attack_name\":\"Modify EnableBDEWithNoTPM Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"10b33fb0-c58b-44cd-8599-b6da5ad6384c\",\"atomic_attack_name\":\"Modify UseTPMPIN Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"c8480c83-a932-446e-a919-06a1fd1e512a\",\"atomic_attack_name\":\"Modify UseTPMKey Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"02d8b9f7-1a51-4011-8901-2d55cca667f9\",\"atomic_attack_name\":\"Modify UseTPMKeyPIN Registry entry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add BitLocker\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1113\",\"atomic_attack_guid\":\"5a496325-0115-4274-8eb9-755b649ad0fb\",\"atomic_attack_name\":\"Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Windows Recall Feature Enabled Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1115\",\"atomic_attack_guid\":\"0cd14633-58d4-4422-9ede-daa2c9474ae7\",\"atomic_attack_name\":\"Utilize Clipboard to store or execute commands from\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"PowerShell Get Clipboard\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml\"},{\"rule_name\":\"Data Copied To Clipboard Via Clip.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"atomic_attack_guid\":\"cb379146-53f1-43e0-b884-7ce2c635ff5b\",\"atomic_attack_name\":\"Automated Collection Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Automated Collection Command Prompt\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"atomic_attack_guid\":\"aa1180e2-f329-4e1e-8625-2472ec0bfaf3\",\"atomic_attack_name\":\"Recon information for export with Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1120\",\"atomic_attack_guid\":\"424e18fd-48b8-4201-8d3a-bf591523a686\",\"atomic_attack_name\":\"Peripheral Device Discovery via fsutil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Drive Enumeration\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1123\",\"atomic_attack_guid\":\"9c3ad250-b185-4444-b5a9-d69218a10c95\",\"atomic_attack_name\":\"using device audio capture commandlet\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Audio Capture via PowerShell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1124\",\"atomic_attack_guid\":\"20aba24b-e61f-4b26-b4ce-4784f763ca20\",\"atomic_attack_name\":\"System Time Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"},{\"rule_name\":\"Discovery of a System Time\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1127\",\"atomic_attack_guid\":\"1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8\",\"atomic_attack_name\":\"Lolbin Jsc.exe compile javascript to exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"JScript Compiler Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1127\",\"atomic_attack_guid\":\"3fc9fea2-871d-414d-8ef6-02e85e322b80\",\"atomic_attack_name\":\"Lolbin Jsc.exe compile javascript to dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"JScript Compiler Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1134.004\",\"atomic_attack_guid\":\"cbbff285-9051-444a-9d17-c07cd2d230eb\",\"atomic_attack_name\":\"Parent PID Spoofing - Spawn from Specified Process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Weak or Abused Passwords In CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"atomic_attack_guid\":\"20f1097d-81c1-405c-8380-32174d493bbb\",\"atomic_attack_name\":\"Network Share Discovery command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"atomic_attack_guid\":\"ab39a04f-0c93-4540-9ff2-83f862c385ae\",\"atomic_attack_name\":\"View available share drives\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"atomic_attack_guid\":\"d07e4cc1-98ae-447e-9d31-36cb430d28c4\",\"atomic_attack_name\":\"PowerView ShareFinder\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Import New Module Via PowerShell CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1137\",\"atomic_attack_guid\":\"bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c\",\"atomic_attack_name\":\"Office Application Startup - Outlook as a C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1140\",\"atomic_attack_guid\":\"dc6fe391-69e6-4506-bd06-ea5eeb4082f8\",\"atomic_attack_name\":\"Deobfuscate/Decode Files Or Information\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1140\",\"atomic_attack_guid\":\"71abc534-3c05-4d0c-80f7-cbe93cb2aa94\",\"atomic_attack_name\":\"Certutil Rename and Decode\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1187\",\"atomic_attack_guid\":\"485ce873-2e65-4706-9c7e-ae3ab9e14213\",\"atomic_attack_name\":\"PetitPotam\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential SMB Relay Attack Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1187\",\"atomic_attack_guid\":\"81cfdd7f-1f41-4cc5-9845-bb5149438e37\",\"atomic_attack_name\":\"Trigger an authenticated RPC call to a target server with no Sign flag set\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Capture Credentials with Rpcping.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml\"},{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"4588d243-f24e-4549-b2e3-e627acc089f6\",\"atomic_attack_name\":\"Examine local password policy - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"510cc97f-56ac-4cd3-a198-d3218c23d889\",\"atomic_attack_name\":\"Use of SecEdit.exe to export the local security policy (including the password policy)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Suspicious Activity Using SeCEdit\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1202\",\"atomic_attack_guid\":\"cecfea7a-5f03-4cdd-8bc8-6f7c22862440\",\"atomic_attack_name\":\"Indirect Command Execution - pcalua.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use of Pcalua For Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1202\",\"atomic_attack_guid\":\"8b34a448-40d9-4fc3-a8c8-4bb286faf7dc\",\"atomic_attack_name\":\"Indirect Command Execution - forfiles.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Forfiles Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1202\",\"atomic_attack_guid\":\"0fd14730-6226-4f5e-8d67-43c65f1be940\",\"atomic_attack_name\":\"Indirect Command Execution - Scriptrunner.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Use of Scriptrunner.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1204.002\",\"atomic_attack_guid\":\"3f3af983-118a-4fa1-85d3-ba4daa739d80\",\"atomic_attack_name\":\"OSTap Payload Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1204.002\",\"atomic_attack_guid\":\"02f35d62-9fdc-4a97-b899-a5d9a876d295\",\"atomic_attack_name\":\"Potentially Unwanted Applications (PUA)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1204.002\",\"atomic_attack_guid\":\"581d7521-9c4b-420e-9695-2aec5241167f\",\"atomic_attack_name\":\"LNK Payload Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1216\",\"atomic_attack_guid\":\"2a8f2d3c-3dec-4262-99dd-150cb2a4d63a\",\"atomic_attack_name\":\"manage-bde.wsf Signed Script Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1216.001\",\"atomic_attack_guid\":\"9dd29a1f-1e16-4862-be83-913b10a88f6c\",\"atomic_attack_name\":\"PubPrn.vbs Signed Script Bypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Pubprn.vbs Proxy Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml\"},{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1217\",\"atomic_attack_guid\":\"76f71e2f-480e-4bed-b61e-398fe17499d5\",\"atomic_attack_name\":\"List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Where Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1217\",\"atomic_attack_guid\":\"4312cdbc-79fc-4a9c-becc-53d49c734bc5\",\"atomic_attack_name\":\"List Mozilla Firefox bookmarks on Windows with command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Where Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1217\",\"atomic_attack_guid\":\"727dbcdb-e495-4ab1-a6c4-80c7f77aef85\",\"atomic_attack_name\":\"List Internet Explorer Bookmarks using the command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"ad2c17ed-f626-4061-b21e-b9804a6f3655\",\"atomic_attack_name\":\"Register-CimProvider - Execute evil dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DLL Execution Via Register-cimprovider.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"54ad7d5a-a1b5-472c-b6c4-f8090fb2daef\",\"atomic_attack_name\":\"InfDefaultInstall.exe .inf Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"InfDefaultInstall.exe .inf Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"7cbb0f26-a4c1-4f77-b180-a009aa05637e\",\"atomic_attack_name\":\"Microsoft.Workflow.Compiler.exe Payload Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Microsoft Workflow Compiler Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"9ebe7901-7edf-45c0-b5c7-8366300919db\",\"atomic_attack_name\":\"Invoke-ATHRemoteFXvGPUDisablementCommand base test\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"49fbd548-49e9-4bb7-94a6-3769613912b8\",\"atomic_attack_name\":\"Load Arbitrary DLL via Wuauclt (Windows Update Client)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Proxy Execution Via Wuauclt.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"5bcda9cd-8e85-48fa-861d-b5a85d91d48c\",\"atomic_attack_name\":\"Lolbin Gpscript logon option\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Gpscript Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"f8da74bb-21b8-4af9-8d84-f2c8e4a220e3\",\"atomic_attack_name\":\"Lolbin Gpscript startup option\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Gpscript Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"13c0804e-615e-43ad-b223-2dfbacd0b0b3\",\"atomic_attack_name\":\"Lolbas ie4uinit.exe use as proxy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"},{\"rule_name\":\"Ie4uinit Lolbin Use From Invalid Path\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"ab76e34f-28bf-441f-a39c-8db4835b89cc\",\"atomic_attack_name\":\"Provlaunch.exe Executes Arbitrary Command via Registry Key\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Provisioning Registry Key Abuse For Binary Proxy Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"7816c252-b728-4ea6-a683-bd9441ca0b71\",\"atomic_attack_name\":\"System Binary Proxy Execution - Wlrmdr Lolbin\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Wlrmdr.EXE Uncommon Argument Or Child Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.003\",\"atomic_attack_guid\":\"34e63321-9683-496b-bbc1-7566bc55e624\",\"atomic_attack_name\":\"CMSTP Executing Remote Scriptlet\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Bypass UAC via CMSTP\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.003\",\"atomic_attack_guid\":\"748cb4f6-2fb3-4e97-b7ad-b22635a09ab0\",\"atomic_attack_name\":\"CMSTP Executing UAC Bypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Bypass UAC via CMSTP\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml\"},{\"rule_name\":\"CMSTP Execution Registry Event\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.005\",\"atomic_attack_guid\":\"1483fab9-4f52-4217-a9ce-daa9d7747cae\",\"atomic_attack_name\":\"Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Remotely Hosted HTA File Executed Via Mshta.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml\"},{\"rule_name\":\"Suspicious JavaScript Execution Via Mshta.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.005\",\"atomic_attack_guid\":\"906865c3-e05f-4acc-85c4-fbc185455095\",\"atomic_attack_name\":\"Mshta executes VBScript to execute malicious command\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"MSHTA Suspicious Execution 01\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"},{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"MSHTA Execution with Suspicious File Extensions\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.005\",\"atomic_attack_guid\":\"8707a805-2b76-4f32-b1c0-14e558205772\",\"atomic_attack_name\":\"Mshta used to Execute PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Read Contents From Stdin Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml\"},{\"rule_name\":\"MSHTA Suspicious Execution 01\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"},{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"MSHTA Execution with Suspicious File Extensions\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with embedded JScript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"8d73c7b0-c2b1-4ac1-881a-4aa644f76064\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with embedded VBScript\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"628fa796-76c5-44c3-93aa-b9d8214fd568\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with an embedded DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"ed3fa08a-ca18-4009-973e-03d13014d0e8\",\"atomic_attack_name\":\"Msiexec.exe - Execute Local MSI file with an embedded EXE\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"9d71c492-ea2e-4c08-af16-c6994cdf029f\",\"atomic_attack_name\":\"Regsvr32 Silent DLL Install Call DllRegisterServer\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Regsvr32 Execution From Highly Suspicious Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"57ba4ce9-ee7a-4f27-9928-3c70c489b59d\",\"atomic_attack_name\":\"Rundll32 execute JavaScript Remote Payload With GetObject\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Mshtml.DLL RunHTMLApplication Suspicious Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Rundll32 DNSQuery\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/network/rundll32_dnsquery.yml\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"638730e7-7aed-43dc-bf8c-8117f805f5bb\",\"atomic_attack_name\":\"Rundll32 execute VBscript command\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"Mshtml.DLL RunHTMLApplication Suspicious Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"22cfde89-befe-4e15-9753-47306b37a6e3\",\"atomic_attack_name\":\"Execution of HTA and VBS Files using Rundll32 and URL.dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"9f5d081a-ee5a-42f9-a04e-b7bdc487e676\",\"atomic_attack_name\":\"Launches an executable using Rundll32 and pcwutl.dll\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"},{\"rule_name\":\"Code Execution via Pcwutl.dll\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"83a95136-a496-423c-81d3-1c6750133917\",\"atomic_attack_name\":\"Rundll32 with desk.cpl\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Rundll32 InstallScreenSaver Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"},{\"rule_name\":\"SCR File Write Event\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"2d5029f0-ae20-446f-8811-e7511b58e8b6\",\"atomic_attack_name\":\"Running DLL with .init extension and function\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8\",\"atomic_attack_name\":\"Rundll32 execute command via FileProtocolHandler\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"8a7f56ee-10e7-444c-a139-0109438288eb\",\"atomic_attack_name\":\"Rundll32 execute payload by calling RouteTheCall\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1220\",\"atomic_attack_guid\":\"1b237334-3e21-4a0c-8178-b8c996124988\",\"atomic_attack_name\":\"WMIC bypass using local XSL file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"XSL Script Execution Via WMIC.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml\"},{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1220\",\"atomic_attack_guid\":\"7f5be499-33be-4129-a560-66021f379b9b\",\"atomic_attack_name\":\"WMIC bypass using remote XSL file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"XSL Script Execution Via WMIC.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml\"},{\"rule_name\":\"Process Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml\"},{\"rule_name\":\"Potential Remote SquiblyTwo Technique Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222\",\"atomic_attack_guid\":\"6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02\",\"atomic_attack_name\":\"Enable Local and Remote Symbolic Links via fsutil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Behavior Set SymlinkEvaluation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"98d34bb4-6e75-42ad-9c41-1dae7dc6a001\",\"atomic_attack_name\":\"Take ownership using takeown utility\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Recursive Takeown\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml\"},{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"a8206bcc-f282-40a9-a389-05d9c0263485\",\"atomic_attack_name\":\"cacls - Grant permission to specified user or group recursively\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"bec1e95c-83aa-492e-ab77-60c71bbd21b0\",\"atomic_attack_name\":\"attrib - Remove read-only attribute\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"32b979da-7b68-42c9-9a99-0e39900fc36c\",\"atomic_attack_name\":\"attrib - hide file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1222.001\",\"atomic_attack_guid\":\"ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6\",\"atomic_attack_name\":\"Grant Full Access to folder for Everyone - Ryuk Ransomware Style\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File or Folder Permissions Modifications\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"2e22641d-0498-48d2-b9ff-c71e496ccdbe\",\"atomic_attack_name\":\"Windows - Discover domain trusts with nltest\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Recon Activity Via Nltest.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml\"},{\"rule_name\":\"Nltest.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"15fe436d-e771-4ff3-b655-2dca9ba52834\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Trusts\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1485\",\"atomic_attack_guid\":\"321fd25e-0007-417f-adec-33232252be19\",\"atomic_attack_name\":\"Overwrite deleted data on C drive\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Deleted Data Overwritten Via Cipher.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1486\",\"atomic_attack_guid\":\"649349c7-9abf-493b-a7a2-b1aa4d141528\",\"atomic_attack_name\":\"PureLocker Ransom Note\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1489\",\"atomic_attack_guid\":\"21dfb440-830d-4c86-a3e5-2a491d5a8d04\",\"atomic_attack_name\":\"Windows - Stop service using Service Controller\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Stop Windows Service Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1489\",\"atomic_attack_guid\":\"41274289-ec9c-4213-bea4-e43c4aa57954\",\"atomic_attack_name\":\"Windows - Stop service using net.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Stop Windows Service Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1489\",\"atomic_attack_guid\":\"f3191b84-c38b-400b-867e-3a217a27795f\",\"atomic_attack_name\":\"Windows - Stop service by killing process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Process Terminated Via Taskkill\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"43819286-91a9-4369-90ed-d31fb4da2c01\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"6a3ff8dd-f49c-4272-a658-11c2fe58bd88\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies via WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"cf21060a-80b3-4238-a595-22525de4ab81\",\"atomic_attack_name\":\"Windows - Disable Windows Recovery Console Repair\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Boot Configuration Tampering Via Bcdedit.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"39a295ca-7059-4a88-86f6-09556c1211e7\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies via WMI with PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"},{\"rule_name\":\"Deletion of Volume Shadow Copies via WMI with PowerShell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml\"},{\"rule_name\":\"Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Delete ShadowCopy With PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/delete_shadowcopy_with_powershell.yml\"}]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"6b1dbaf6-cc8a-4ea6-891f-6058569653bf\",\"atomic_attack_name\":\"Windows - Delete Backup Files\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"1c68c68d-83a4-4981-974e-8993055fa034\",\"atomic_attack_name\":\"Windows - Disable the SR scheduled task\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Disable Important Scheduled Task\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"da558b07-69ae-41b9-b9d4-4d98154a7049\",\"atomic_attack_name\":\"Windows - vssadmin Resize Shadowstorage Volume\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"atomic_attack_guid\":\"a4420f93-5386-4290-b780-f4f66abc7070\",\"atomic_attack_name\":\"Modify VSS Service Permissions\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Allow Service Access Using Security Descriptor Tampering Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml\"},{\"rule_name\":\"Service Security Descriptor Tampering Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml\"},{\"rule_name\":\"Deny Service Access Using Security Descriptor Tampering Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1505.002\",\"atomic_attack_guid\":\"43e92449-ff60-46e9-83a3-1a38089df94d\",\"atomic_attack_name\":\"Install MS Exchange Transport Agent Persistence\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"MSExchange Transport Agent Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1505.003\",\"atomic_attack_guid\":\"0a2ce662-1efa-496f-a472-2fe7b080db16\",\"atomic_attack_name\":\"Web Shell Written to Disk\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518\",\"atomic_attack_guid\":\"68981660-6670-47ee-a5fa-7e74806420a4\",\"atomic_attack_name\":\"Find and Display Internet Explorer Browser Version\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Detected Windows Software Discovery\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"f92a380f-ced9-491f-b338-95a991418ce2\",\"atomic_attack_name\":\"Security Software Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Recon Command Output Piped To Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml\"},{\"rule_name\":\"Suspicious Tasklist Discovery Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"fe613cf3-8009-4446-9a0f-bc78a15b66c9\",\"atomic_attack_name\":\"Security Software Discovery - Sysmon Service\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"1553252f-14ea-4d3b-8a08-d7a4211aa945\",\"atomic_attack_name\":\"Security Software Discovery - AV Discovery via WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Product Class Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml\"},{\"rule_name\":\"Potential Product Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"ed366cde-7d12-49df-a833-671904770b9f\",\"atomic_attack_name\":\"Modify Fax service to run PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Existing Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml\"},{\"rule_name\":\"Suspicious Service Path Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"981e2942-e433-44e9-afc1-8c957a1496b6\",\"atomic_attack_name\":\"Service Installation CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"491a4af6-a521-4b74-b23b-f7b3f1ee9e77\",\"atomic_attack_name\":\"Service Installation PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using PowerShell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"ef0581fd-528e-4662-87bc-4c2affb86940\",\"atomic_attack_name\":\"TinyTurla backdoor service w64time\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Existing Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546\",\"atomic_attack_guid\":\"547a4736-dd1c-4b48-b4fe-e916190bb2e7\",\"atomic_attack_name\":\"Persistence via ErrorHandler.cmd script execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.001\",\"atomic_attack_guid\":\"10a08978-2045-4d62-8c42-1957bbbea102\",\"atomic_attack_name\":\"Change Default File Association\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Change Default File Association Via Assoc\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.002\",\"atomic_attack_guid\":\"281201e7-de41-4dc9-b73d-f288938cbb64\",\"atomic_attack_name\":\"Set Arbitrary Binary as Screensaver\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.007\",\"atomic_attack_guid\":\"3244697d-5a3a-4dfc-941c-550f69f91a4d\",\"atomic_attack_name\":\"Netsh Helper DLL Registration\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Via Netsh Helper DLL\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.008\",\"atomic_attack_guid\":\"934e90cf-29ca-48b3-863c-411737ad44e3\",\"atomic_attack_name\":\"Replace binary of sticky keys\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Persistence Via Sticky Key Backdoor\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.008\",\"atomic_attack_guid\":\"51ef369c-5e87-4f33-88cd-6d61be63edf2\",\"atomic_attack_name\":\"Create Symbolic Link From osk.exe to cmd.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File Deletion Via Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml\"},{\"rule_name\":\"Greedy File Deletion Using Del\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Privilege Escalation Using Symlink Between Osk and Cmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.011\",\"atomic_attack_guid\":\"9ab27e22-ee62-4211-962b-d36d9a0e6a18\",\"atomic_attack_name\":\"Application Shim Installation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Shim Database Persistence via Sdbinst.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1546.011\",\"atomic_attack_guid\":\"aefd6866-d753-431f-a7a4-215ca7e3f13d\",\"atomic_attack_name\":\"New shim database files created in the default shim database directory\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547\",\"atomic_attack_guid\":\"cb01b3da-b0e7-4e24-bf6d-de5223526785\",\"atomic_attack_name\":\"Add a driver\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Driver Install by pnputil.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547\",\"atomic_attack_guid\":\"5cb0b071-8a5a-412f-839d-116beb2ed9f7\",\"atomic_attack_name\":\"Driver Installation Using pnputil.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Driver Install by pnputil.exe\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.001\",\"atomic_attack_guid\":\"e55be3fd-3521-4610-9d1a-e210e42dcf05\",\"atomic_attack_name\":\"Reg Key Run\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Direct Autorun Keys Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml\"},{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.001\",\"atomic_attack_guid\":\"554cbd88-cde1-4b56-8168-0be552eed9eb\",\"atomic_attack_name\":\"Reg Key RunOnce\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Direct Autorun Keys Modification\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml\"},{\"rule_name\":\"Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.001\",\"atomic_attack_guid\":\"6e1666d5-3f2b-4b9a-80aa-f011322380d4\",\"atomic_attack_name\":\"Creating Boot Verification Program Key for application execution during successful boot\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Persistence Attempt Via Existing Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1547.009\",\"atomic_attack_guid\":\"ce4fc678-364f-4282-af16-2fb4c78005ce\",\"atomic_attack_name\":\"Shortcut Modification\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Calculator Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1548.002\",\"atomic_attack_guid\":\"58f641ea-12e3-499a-b684-44dee46bd182\",\"atomic_attack_name\":\"Bypass UAC using Fodhelper\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Reg Add Open Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.002\",\"atomic_attack_guid\":\"b6ec082c-7384-46b3-a111-9a9b8b14e5e7\",\"atomic_attack_name\":\"Enumeration for Credentials in Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Enumeration for Credentials in Registry\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.002\",\"atomic_attack_guid\":\"af197fd7-e868-448e-9bd5-05d1bcd9d9e5\",\"atomic_attack_name\":\"Enumeration for PuTTY Credentials in Registry\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Enumeration for Credentials in Registry\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml\"},{\"rule_name\":\"Enumeration for 3rd Party Creds From CLI\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.004\",\"atomic_attack_guid\":\"336b25bf-4514-4684-8924-474974f28137\",\"atomic_attack_name\":\"CertUtil ExportPFX\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.004\",\"atomic_attack_guid\":\"290df60e-4b5d-4a5e-b0c7-dc5348ea0c86\",\"atomic_attack_name\":\"Export Certificates with Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1552.006\",\"atomic_attack_guid\":\"e9584f82-322c-474a-b831-940fd8b4455c\",\"atomic_attack_name\":\"GPP Passwords (Get-GPPPassword)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1553.003\",\"atomic_attack_guid\":\"e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675\",\"atomic_attack_name\":\"SIP (Subject Interface Package) Hijacking via Custom DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Regsvr32 Execution From Highly Suspicious Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1553.004\",\"atomic_attack_guid\":\"ca20a3f1-42b5-4e21-ad3f-1049199ec2e0\",\"atomic_attack_name\":\"Add Root Certificate to CurrentUser Certificate Store\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"c89becbe-1758-4e7d-a0f4-97d2188a23e3\",\"atomic_attack_name\":\"Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"8fd5a296-6772-4766-9991-ff4e92af7240\",\"atomic_attack_name\":\"Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"36753ded-e5c4-4eb5-bc3c-e8fba236878d\",\"atomic_attack_name\":\"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Credential Manager Access via VaultCmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555\",\"atomic_attack_guid\":\"bc071188-459f-44d5-901a-f8f2625b2d2e\",\"atomic_attack_name\":\"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Credential Manager Access via VaultCmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"8c05b133-d438-47ca-a630-19cc464c4622\",\"atomic_attack_name\":\"Run Chrome-password Collector\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"9a2915b3-3954-4cce-8c76-00fbf4dbd014\",\"atomic_attack_name\":\"LaZagne - Credentials from Browser\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - LaZagne Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"3d111226-d09a-4911-8715-fe11664f960d\",\"atomic_attack_name\":\"Simulating access to Chrome Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"28498c17-57e4-495a-b0be-cc1e36de408b\",\"atomic_attack_name\":\"Simulating access to Opera Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"eb8da98a-2e16-4551-b3dd-83de49baa14c\",\"atomic_attack_name\":\"Simulating access to Windows Firefox Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"a6a5ec26-a2d1-4109-9d35-58b867689329\",\"atomic_attack_name\":\"Simulating access to Windows Edge Login Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Browser Data Stealing\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"70422253-8198-4019-b617-6be401b49fce\",\"atomic_attack_name\":\"Dump Chrome Login Data with esentutl\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1555.004\",\"atomic_attack_guid\":\"9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439\",\"atomic_attack_name\":\"Access Saved Credentials via VaultCmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Credential Manager Access via VaultCmd\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1560.001\",\"atomic_attack_guid\":\"8dd61a55-44c6-43cc-af0c-8bdda276860c\",\"atomic_attack_name\":\"Compress Data and lock with password for Exfiltration with winrar\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Rar Usage with Password and Compression Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1560.001\",\"atomic_attack_guid\":\"01df0353-d531-408d-a0c5-3161bf822134\",\"atomic_attack_name\":\"Compress Data and lock with password for Exfiltration with winzip\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Compress Data and Lock With Password for Exfiltration With WINZIP\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562\",\"atomic_attack_guid\":\"40075d5f-3a70-4c66-9125-f72bee87247d\",\"atomic_attack_name\":\"Windows Disable LSA Protection\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LSA PPL Protection Disabled Via Reg.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"811b3e76-c41b-430c-ac0d-e2380bfaa164\",\"atomic_attack_name\":\"Unload Sysmon Filter Driver\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Sysmon Driver Unloaded Via Fltmc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml\"},{\"rule_name\":\"Filter Driver Unloaded Via Fltmc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"695eed40-e949-40e5-b306-b4031e4154bd\",\"atomic_attack_name\":\"AMSI Bypass - AMSI InitFailed\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential AMSI Bypass Via .NET Reflection\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"a1230893-56ac-4c81-b644-2108e982f8f5\",\"atomic_attack_name\":\"Disable Arbitrary Security Windows Service\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Service StartupType Change Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"aa875ed4-8935-47e2-b2c5-6ec00ab220d2\",\"atomic_attack_name\":\"Tamper with Windows Defender Command Prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Service StartupType Change Via Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml\"},{\"rule_name\":\"Disable Windows Defender AV Security Monitoring\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml\"},{\"rule_name\":\"Suspicious Windows Service Tampering\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"3d47daaa-2f56-43e0-94cc-caf5d8d52a68\",\"atomic_attack_name\":\"Remove Windows Defender Definition Files\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Defender Definition Files Removed\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297\",\"atomic_attack_name\":\"Uninstall Crowdstrike Falcon on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Uninstall Crowdstrike Falcon Sensor\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"24a12b91-05a7-4deb-8d7f-035fa98591bc\",\"atomic_attack_name\":\"Kill antimalware protected processes using Backstab\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"atomic_attack_guid\":\"66fb0bc1-3c3f-47e9-a298-550ecfefacbc\",\"atomic_attack_name\":\"Powershell Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1003.002\",\"atomic_attack_guid\":\"5c2571d0-1572-416d-9676-812e64ca9f44\",\"atomic_attack_name\":\"Registry dump of SAM, creds, and secrets\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Attempted Credential Dump From Registry via Reg exe\",\"rule_link\":\"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/\"}],\"sigma_rules\":[{\"rule_name\":\"Dumping of Sensitive Hives Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml\"}]},{\"tech_id\":\"T1003.002\",\"atomic_attack_guid\":\"a90c2f4d-6726-444e-99d2-a00cd7c20480\",\"atomic_attack_name\":\"esentutl.exe SAM copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Esentutl SAM Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d372f928-ce4f-11eb-a762-acde48001122/\"}]},{\"tech_id\":\"T1003.002\",\"atomic_attack_guid\":\"eeb9751a-d598-42d3-b11c-c122d9c3f6c7\",\"atomic_attack_name\":\"dump volume shadow copy hives with certutil\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"Potentially Suspicious CMD Shell Output Redirect\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml\"},{\"rule_name\":\"Sensitive File Access Via Volume Shadow Copy Backup\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml\"},{\"rule_name\":\"File Encoded To Base64 Via Certutil.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml\"},{\"rule_name\":\"File In Suspicious Location Encoded To Base64 Via Certutil.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Credential Dumping via Copy Command from Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f\",\"atomic_attack_name\":\"Create Volume Shadow Copy with vssadmin\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Creation of Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"c6237146-9ea6-4711-85c9-c56d263a6b03\",\"atomic_attack_name\":\"Copy NTDS.dit from Volume Shadow Copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"Sensitive File Access Via Volume Shadow Copy Backup\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml\"},{\"rule_name\":\"Suspicious Process Patterns NTDS.DIT Exfil\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml\"},{\"rule_name\":\"Copy From VolumeShadowCopy Via Cmd.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Attempted Credential Dump From Registry via Reg exe\",\"rule_link\":\"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/\"},{\"rule_name\":\"Credential Dumping via Copy Command from Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"224f7de0-8f0a-4a94-b5d8-989b036c86da\",\"atomic_attack_name\":\"Create Volume Shadow Copy with WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"},{\"rule_name\":\"System Disk And Volume Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Creation of Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"d893459f-71f0-484d-9808-ec83b2b64226\",\"atomic_attack_name\":\"Create Volume Shadow Copy remotely with WMI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"},{\"rule_name\":\"System Disk And Volume Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Creation of Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"21c7bf80-3e8b-40fa-8f9d-f5b194ff2865\",\"atomic_attack_name\":\"Create Volume Shadow Copy remotely (WMI) with esentutl\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Credential Dumping via Copy Command from Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/\"},{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"},{\"rule_name\":\"Remote Process Instantiation via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"21748c28-2793-4284-9e07-d6d028b66702\",\"atomic_attack_name\":\"Create Symlink to Volume Shadow Copy\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"VolumeShadowCopy Symlink Creation Via Mklink\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml\"},{\"rule_name\":\"Sensitive File Access Via Volume Shadow Copy Backup\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml\"},{\"rule_name\":\"Shadow Copies Creation Using Operating Systems Utilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Credential Dumping via Symlink to Shadow Copy\",\"rule_link\":\"https://research.splunk.com/endpoint/c5eac648-fae0-4263-91a6-773df1f4c903/\"}]},{\"tech_id\":\"T1003.003\",\"atomic_attack_guid\":\"b385996c-0e7d-4e27-95a4-aca046b119a7\",\"atomic_attack_name\":\"Create Volume Shadow Copy with diskshadow\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Diskshadow Script Mode Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"},{\"rule_name\":\"Windows Diskshadow Proxy Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/\"}]},{\"tech_id\":\"T1003.004\",\"atomic_attack_guid\":\"55295ab0-a703-433b-9ca4-ae13807de12f\",\"atomic_attack_name\":\"Dumping LSA Secrets\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Psexec Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Attempted Credential Dump From Registry via Reg exe\",\"rule_link\":\"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/\"},{\"rule_name\":\"Detect PsExec With accepteula Flag\",\"rule_link\":\"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/\"}]},{\"tech_id\":\"T1003.004\",\"atomic_attack_guid\":\"2dfa3bff-9a27-46db-ab75-7faefdaca732\",\"atomic_attack_name\":\"Dump Kerberos Tickets from LSA using dumper.ps1\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1003.006\",\"atomic_attack_guid\":\"129efd28-8497-4c87-a1b0-73b9a870ca3e\",\"atomic_attack_name\":\"DCSync (Active Directory)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"Operator Bloopers Cobalt Strike Commands\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Mimikatz Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/\"}]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"9bb45dd7-c466-4f93-83a1-be30e56033ee\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Subnet Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1016\",\"atomic_attack_guid\":\"34557863-344a-468f-808b-a1bfb89b4fa9\",\"atomic_attack_name\":\"DNS Server Discovery Using nslookup\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Network Reconnaissance Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows System Discovery Using ldap Nslookup\",\"rule_link\":\"https://research.splunk.com/endpoint/2418780f-7c3e-4c45-b8b4-996ea850cd49/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"85321a9c-897f-4a60-9f20-29788e50bccd\",\"atomic_attack_name\":\"Remote System Discovery - net\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Share And Session Enumeration Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote System Discovery with Net\",\"rule_link\":\"https://research.splunk.com/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"f1bf6c8f-9016-4edf-aff9-80b65f5d711f\",\"atomic_attack_name\":\"Remote System Discovery - net group Domain Computers\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"},{\"rule_name\":\"Remote System Discovery with Net\",\"rule_link\":\"https://research.splunk.com/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"52ab5108-3f6f-42fb-8ba3-73bc054f22c8\",\"atomic_attack_name\":\"Remote System Discovery - nltest\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Recon Activity Via Nltest.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml\"},{\"rule_name\":\"Nltest.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Controller Discovery with Nltest\",\"rule_link\":\"https://research.splunk.com/endpoint/41243735-89a7-4c83-bcdd-570aa78f00a1/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"a889f5be-2d54-4050-bd05-884578748bb4\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Computer Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"97e89d9e-e3f5-41b5-a90f-1e0825df0fdf\",\"atomic_attack_name\":\"Enumerate Active Directory Computers with Get-AdComputer\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"},{\"rule_name\":\"GetAdComputer with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getadcomputer_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad\",\"atomic_attack_name\":\"Get-WmiObject to Enumerate Domain Controllers\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetWmiObject Ds Computer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3/\"},{\"rule_name\":\"GetWmiObject Ds Computer with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"5843529a-5056-4bc1-9c13-a311e2af4ca0\",\"atomic_attack_name\":\"Remote System Discovery - net group Domain Controller\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"}]},{\"tech_id\":\"T1021.002\",\"atomic_attack_guid\":\"3386975b-367a-4fbb-9d77-4dcf3639ffd3\",\"atomic_attack_name\":\"Map admin share\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Windows Admin Share Mount Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml\"},{\"rule_name\":\"Windows Share Mount Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml\"}]},{\"tech_id\":\"T1021.002\",\"atomic_attack_guid\":\"0eb03d41-79e4-4393-8e57-6344856be1cf\",\"atomic_attack_name\":\"Copy and Execute File with PsExec\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Psexec Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect PsExec With accepteula Flag\",\"rule_link\":\"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/\"}]},{\"tech_id\":\"T1021.002\",\"atomic_attack_guid\":\"d41aaab5-bdfe-431d-a3d5-c29e9136ff46\",\"atomic_attack_name\":\"Execute command writing output to local Admin Share\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Redirection to Local Admin Share\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml\"},{\"rule_name\":\"HackTool - CrackMapExec Execution Patterns\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Impacket Lateral Movement Commandline Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/8ce07472-496f-11ec-ab3b-3e22fbd008af/\"}]},{\"tech_id\":\"T1021.003\",\"atomic_attack_guid\":\"6dc74eb1-c9d6-4c53-b3b5-6f50ae339673\",\"atomic_attack_name\":\"PowerShell Lateral Movement using MMC20\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Remote Process Instantiation via DCOM and PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/d4f42098-4680-11ec-ad07-3e22fbd008af/\"},{\"rule_name\":\"Remote Process Instantiation via DCOM and PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1021.004\",\"atomic_attack_guid\":\"280812c8-4dae-43e9-a74e-1d08ab997c0e\",\"atomic_attack_name\":\"ESXi - Enable SSH via VIM-CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1033\",\"atomic_attack_guid\":\"1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b\",\"atomic_attack_name\":\"GetCurrent User with PowerShell Script\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetCurrent User with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/7eb9c3d5-c98c-4088-acc5-8240bad15379/\"},{\"rule_name\":\"GetCurrent User with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getcurrent_user_with_powershell_script_block.yml\"},{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Get Current User\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml\"},{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"24136435-c91a-4ede-9da1-8b284a1c1a23\",\"atomic_attack_name\":\"Masquerading - wscript.exe running as svchost.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"LOL-Binary Copied From System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Potential Defense Evasion Via Rename Of Highly Relevant Binaries\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml\"}],\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9\",\"atomic_attack_name\":\"Creating W32Time similar named service using schtasks\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Command Patterns In Scheduled Task Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml\"},{\"rule_name\":\"Schtasks Creation Or Modification With SYSTEM Privileges\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Schtasks Create Run As System\",\"rule_link\":\"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"c107778c-dcf5-47c5-af2e-1d058a3df3ea\",\"atomic_attack_name\":\"WMI Reconnaissance Users\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Local Account Discovery With Wmic\",\"rule_link\":\"https://research.splunk.com/endpoint/4902d7aa-0134-11ec-9d65-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"0fd48ef7-d890-4e93-a533-f7dedd5191d3\",\"atomic_attack_name\":\"WMI Reconnaissance List Remote Services\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Service Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3\",\"atomic_attack_name\":\"WMI Execute Local Process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"9c8ef159-c666-472f-9874-90c8d60d136b\",\"atomic_attack_name\":\"WMI Execute Remote Process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"},{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"},{\"rule_name\":\"Remote Process Instantiation via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"7db7a7f9-9531-4840-9b30-46220135441c\",\"atomic_attack_name\":\"Create a Process using WMI Query and an Encoded Command\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Base64 Encoded Invoke Keyword\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml\"},{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Suspicious PowerShell Parameter Substring\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml\"},{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"00738d2a-4651-4d76-adf2-c43a41dfb243\",\"atomic_attack_name\":\"WMI Execute rundll32\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml\"},{\"rule_name\":\"New Process Created Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"},{\"rule_name\":\"Windows WMI Process Call Create\",\"rule_link\":\"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/\"},{\"rule_name\":\"Remote Process Instantiation via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/\"}]},{\"tech_id\":\"T1047\",\"atomic_attack_guid\":\"c510d25b-1667-467d-8331-a56d3e9bc4ff\",\"atomic_attack_name\":\"Application uninstall using WMIC\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WMIC Remote Command Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml\"},{\"rule_name\":\"Application Removed Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml\"},{\"rule_name\":\"Potential Product Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"}]},{\"tech_id\":\"T1048.002\",\"atomic_attack_guid\":\"1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0\",\"atomic_attack_name\":\"Exfiltrate data HTTPS using curl windows\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Curl Upload to Remote Destination\",\"rule_link\":\"https://research.splunk.com/endpoint/42f8f1a2-4228-11ec-aade-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1049\",\"atomic_attack_guid\":\"f069f0f1-baad-4831-aa2b-eddac4baac4a\",\"atomic_attack_name\":\"System Network Connections Discovery with PowerShell\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/e02af35c-1de5-4afe-b4be-f45aba57272b/\"},{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Use Get-NetTCPConnection - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"fec27f65-db86-4c2d-b66c-61945aee87c2\",\"atomic_attack_name\":\"Scheduled Task Startup Script\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Schtasks Schedule Type With High Privileges\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml\"},{\"rule_name\":\"Suspicious Command Patterns In Scheduled Task Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml\"},{\"rule_name\":\"Schtasks Creation Or Modification With SYSTEM Privileges\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Schtasks Create Run As System\",\"rule_link\":\"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"2e5eac3e-327b-4a88-a0c0-c4057039a8dd\",\"atomic_attack_name\":\"Scheduled task Remote\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Schtasks Create Run As System\",\"rule_link\":\"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"atomic_attack_guid\":\"704333ca-cc12-4bcf-9916-101844881f54\",\"atomic_attack_name\":\"Scheduled Task (\\\"Ghost Task\\\") via Registry Key Manipulation\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1055.001\",\"atomic_attack_guid\":\"8b56f787-73d9-4f1d-87e8-d07e89cbc7f5\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Potential WinAPI Calls Via CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1059\",\"atomic_attack_guid\":\"a9b93f17-31cb-435d-a462-5e838a2a6026\",\"atomic_attack_name\":\"AutoIt Script Execution\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows AutoIt3 Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/0ecb40d9-492b-4a57-9f87-515dd742794c/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"f3132740-55bc-48c4-bcc0-758a459cd027\",\"atomic_attack_name\":\"Mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious Nishang PowerShell Commandlets\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Keywords\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious PowerShell Scripts - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Fileless Script Contains Base64 Encoded Content\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\"},{\"rule_name\":\"Recon Using WMI Class\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/recon_using_wmi_class.yml\"},{\"rule_name\":\"Detect Mimikatz With PowerShell Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml\"},{\"rule_name\":\"Powershell Fileless Process Injection via GetProcAddress\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"06a220b6-7e29-4bd8-9d07-5b4d86742372\",\"atomic_attack_name\":\"Invoke-AppPathBypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"388a7340-dbc1-4c9d-8e59-b75ad8c6d5da\",\"atomic_attack_name\":\"Powershell MsXml COM object - with prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell IEX Execution Patterns\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml\"},{\"rule_name\":\"Suspicious PowerShell Parameter Substring\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml\"},{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"},{\"rule_name\":\"Powershell MsXml COM Object\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"8a2ad40b-12c7-4b25-8521-2737b0a415af\",\"atomic_attack_name\":\"Powershell invoke mshta.exe download\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"686a9785-f99b-41d4-90df-66ed515f81d7\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -Command parameter variations\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"1c0a870f-dc74-49cf-9afc-eccc45e58790\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"86a43bad-12e3-4e85-b97c-4d5cf25b95c3\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"0d181431-ddf3-4826-8055-2dbf63ae848b\",\"atomic_attack_name\":\"ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Execution of Powershell with Base64\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"6a5b2a50-d037-4879-bf01-43d4d6cbf73f\",\"atomic_attack_name\":\"SOAPHound - Dump BloodHound Data\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SOAPHound Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows SOAPHound Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/\"},{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"atomic_attack_guid\":\"4099086c-1470-4223-8085-8186e1ed5948\",\"atomic_attack_name\":\"SOAPHound - Build Cache\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SOAPHound Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows SOAPHound Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/\"},{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"},{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"1f454dd6-e134-44df-bebb-67de70fb6cd8\",\"atomic_attack_name\":\"Basic Permission Groups Discovery Windows (Local)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Net Localgroup Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"e03ada14-0980-4107-aff1-7783b2b59bb1\",\"atomic_attack_name\":\"SharpHound3 - LocalAdmin\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect SharpHound Usage\",\"rule_link\":\"https://research.splunk.com/endpoint/dd04b29a-beed-11eb-87bc-acde48001122/\"},{\"rule_name\":\"Detect SharpHound Command-Line Arguments\",\"rule_link\":\"https://research.splunk.com/endpoint/a0bdd2f6-c2ff-11eb-b918-acde48001122/\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"7413be50-be8e-430f-ad4d-07bf197884b2\",\"atomic_attack_name\":\"Wmic Group Discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Local Groups Reconnaissance Via Wmic.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Wmic Group Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/83317b08-155b-11ec-8e00-acde48001122/\"}]},{\"tech_id\":\"T1069.001\",\"atomic_attack_guid\":\"69119e58-96db-4110-ad27-954e48f3bb13\",\"atomic_attack_name\":\"WMIObject Group Discovery\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Get WMIObject Group Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/5434f670-155d-11ec-8cca-acde48001122/\"},{\"rule_name\":\"Get WMIObject Group Discovery with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Suspicious Get Local Groups Information - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7\",\"atomic_attack_name\":\"Permission Groups Discovery PowerShell (Domain)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"48ddc687-82af-40b7-8472-ff1e742e8274\",\"atomic_attack_name\":\"Adfind - Query Active Directory Groups\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8\",\"atomic_attack_name\":\"Enumerate Active Directory Groups with Get-AdGroup\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdGroup with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/872e3063-0fc4-4e68-b2f3-f2b99184a708/\"},{\"rule_name\":\"GetAdGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getadgroup_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Group Enumeration With Get-AdGroup\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1069.002\",\"atomic_attack_guid\":\"43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8\",\"atomic_attack_name\":\"Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Get ADUser with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0b6ee3f4-04e3-11ec-a87d-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"ded937c4-2add-42f7-9c2c-c742b7a98698\",\"atomic_attack_name\":\"Delete an entire folder - Windows cmd\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"},{\"rule_name\":\"Directory Removal Via Rmdir\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml\"},{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Indicator Removal Via Rmdir\",\"rule_link\":\"https://research.splunk.com/endpoint/c4566d2c-b094-48a1-9c59-d66e22065560/\"}]},{\"tech_id\":\"T1070.004\",\"atomic_attack_guid\":\"f723d13d-48dc-4317-9990-cf43a9ac0bf2\",\"atomic_attack_name\":\"Clears Recycle bin via rd\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Recursive Delete of Directory In Batch CMD\",\"rule_link\":\"https://research.splunk.com/endpoint/ba570b3a-d356-11eb-8358-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}]},{\"tech_id\":\"T1071.004\",\"atomic_attack_guid\":\"e7bf9802-2e78-4db9-93b5-181b7bcd37d7\",\"atomic_attack_name\":\"DNS C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1078.001\",\"atomic_attack_guid\":\"aa6cb8c4-b582-4f8e-b677-37733914abda\",\"atomic_attack_name\":\"Activate Guest Account\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Manipulation Of Default Accounts Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1078.003\",\"atomic_attack_guid\":\"6904235f-0f55-4039-8aed-41c300ff7733\",\"atomic_attack_name\":\"Use PsExec to elevate to NT Authority\\\\SYSTEM account\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Psexec Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml\"},{\"rule_name\":\"Potential Execution of Sysinternals Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect PsExec With accepteula Flag\",\"rule_link\":\"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"07b18a66-6304-47d2-bad0-ef421eb2e107\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Watson searching for missing windows patches\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"efb79454-1101-4224-a4d0-30c9c8b29ffc\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"5c16ceb4-ba3a-43d7-b848-a13c1f216d95\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Seatbelt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"2040405c-eea6-4c1c-aef3-c2acc430fac9\",\"atomic_attack_name\":\"ESXi - VM Discovery using ESXCLI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1082\",\"atomic_attack_guid\":\"f89812e5-67d1-4f49-86fa-cbc6609ea86a\",\"atomic_attack_name\":\"ESXi - Darkside system information discovery\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1083\",\"atomic_attack_guid\":\"4a233a40-caf7-4cf1-890a-c6331bbc72cf\",\"atomic_attack_name\":\"ESXi - Enumerate VMDKs available on an ESXi Host\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"},{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1087.001\",\"atomic_attack_guid\":\"a138085e-bfe5-46ba-a242-74a6fb884af3\",\"atomic_attack_name\":\"Enumerate logged on users via CMD (Local)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"System User Discovery With Query\",\"rule_link\":\"https://research.splunk.com/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}]},{\"tech_id\":\"T1087.001\",\"atomic_attack_guid\":\"9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c\",\"atomic_attack_name\":\"ESXi - Local Account Discovery via ESXCLI\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"},{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"6fbc9e68-5ad7-444a-bd11-8bf3136c477e\",\"atomic_attack_name\":\"Enumerate all accounts (Domain)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"161dcd85-d014-4f5e-900c-d3eaae82a0f7\",\"atomic_attack_name\":\"Enumerate logged on users via CMD (Domain)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"System User Discovery With Query\",\"rule_link\":\"https://research.splunk.com/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"e1ec8d20-509a-4b9a-b820-06c9b2da8eb7\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory User Objects\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef\",\"atomic_attack_name\":\"Enumerate Default Domain Admin Details (Domain)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Manipulation Of Default Accounts Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Account Discovery With Net App\",\"rule_link\":\"https://research.splunk.com/endpoint/339805ce-ac30-11eb-b87d-acde48001122/\"},{\"rule_name\":\"Domain Account Discovery With Net App\",\"rule_link\":\"https://research.splunk.com/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/\"},{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"394012d9-2164-4d4f-b9e5-acf30ba933fe\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with Get-ADComputer all properties\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"6e85bdf9-7bc4-4259-ac0f-f0cb39964443\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1087.002\",\"atomic_attack_guid\":\"ffbcfd62-15d6-4989-a21a-80bfc8e58bb5\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"GetAdComputer with PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/\"}],\"sigma_rules\":[{\"rule_name\":\"Active Directory Computers Enumeration With Get-AdComputer\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1095\",\"atomic_attack_guid\":\"0268e63c-e244-42db-bef7-72a9e59fc1fc\",\"atomic_attack_name\":\"ICMP C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious DNS Z Flag Bit Set\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1095\",\"atomic_attack_guid\":\"3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e\",\"atomic_attack_name\":\"Powercat C2\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious Program Names\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Suspicious DNS Z Flag Bit Set\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"dd3b61dd-7bbc-48cd-ab51-49ad1a776df0\",\"atomic_attack_name\":\"certutil download (urlcache)\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"Suspicious Download Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml\"},{\"rule_name\":\"Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b\",\"atomic_attack_name\":\"Windows - BITSAdmin BITS Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Download From File-Sharing Website Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To A Suspicious Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To An Uncommon Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml\"},{\"rule_name\":\"File With Suspicious Extension Downloaded Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"File Download Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"BITSAdmin Download File\",\"rule_link\":\"https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"42dc4460-9aa6-45d3-b1a6-3955d34e1fe8\",\"atomic_attack_name\":\"Windows - PowerShell Download\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell DownloadFile\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadFile\",\"rule_link\":\"https://research.splunk.com/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"54a4daf1-71df-4383-9ba7-f1a295d8b6d2\",\"atomic_attack_name\":\"File Download via PowerShell\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"b1729c57-9384-4d1c-9b99-9b220afb384e\",\"atomic_attack_name\":\"Nimgrab - Transfer Files\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}],\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}]},{\"tech_id\":\"T1105\",\"atomic_attack_guid\":\"66ee226e-64cb-4dae-80e3-5bf5763e4a51\",\"atomic_attack_name\":\"Arbitrary file download using the Notepad++ GUP.exe binary\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious GUP Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"},{\"rule_name\":\"File Download Using Notepad++ GUP Utility\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_download.yml\"},{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}]},{\"tech_id\":\"T1106\",\"atomic_attack_guid\":\"ce4e76e6-de70-4392-9efe-b281fc2b4087\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1106\",\"atomic_attack_guid\":\"7ec5b74e-8289-4ff2-a162-b6f286a33abd\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1106\",\"atomic_attack_guid\":\"e1f93a06-1649-4f07-89a8-f57279a7d60e\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1110.001\",\"atomic_attack_guid\":\"ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5\",\"atomic_attack_name\":\"ESXi - Brute Force Until Account Lockout\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1110.002\",\"atomic_attack_guid\":\"6d27df5d-69d4-4c91-bc33-5983ffe91692\",\"atomic_attack_name\":\"Password Cracking with Hashcat\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Hashcat Password Cracker Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"f3a6cceb-06c9-48e5-8df8-8867a6814245\",\"atomic_attack_name\":\"Change Powershell Execution Policy to Bypass\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}]},{\"tech_id\":\"T1112\",\"atomic_attack_guid\":\"ecbd533e-b45d-4239-aeff-b857c6f6d68b\",\"atomic_attack_name\":\"Flush Shimcache\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"ShimCache Flush\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Rundll32 Shimcache Flush\",\"rule_link\":\"https://research.splunk.com/endpoint/a913718a-25b6-11ec-96d3-acde48001122/\"}]},{\"tech_id\":\"T1114.001\",\"atomic_attack_guid\":\"3f1b5096-0139-4736-9b78-19bcb02bb1cb\",\"atomic_attack_name\":\"Email Collection with PowerShell Get-Inbox\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use Short Name Path in Command Line\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml\"},{\"rule_name\":\"Script Interpreter Execution From Suspicious Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml\"},{\"rule_name\":\"Suspicious Script Execution From Temp Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml\"},{\"rule_name\":\"Change PowerShell Policies to an Insecure Level\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml\"},{\"rule_name\":\"Powershell Local Email Collection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}]},{\"tech_id\":\"T1124\",\"atomic_attack_guid\":\"d5d5a6b0-0f92-42d8-985d-47aafa2dd4db\",\"atomic_attack_name\":\"System Time Discovery W32tm as a Delay\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Use of W32tm as Timer\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_w32tm.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows System Time Discovery W32tm Delay\",\"rule_link\":\"https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/\"}]},{\"tech_id\":\"T1129\",\"atomic_attack_guid\":\"7f843046-abf2-443f-b880-07a83cf968ec\",\"atomic_attack_name\":\"ESXi - Install a custom VIB on an ESXi host\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"},{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}]},{\"tech_id\":\"T1134.002\",\"atomic_attack_guid\":\"ccf4ac39-ec93-42be-9035-90e2f26bcd92\",\"atomic_attack_name\":\"WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1134.005\",\"atomic_attack_guid\":\"6bef32e5-9456-4072-8f14-35566fb85401\",\"atomic_attack_name\":\"Injection SID-History with mimikatz\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Mimikatz Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/\"}]},{\"tech_id\":\"T1136.001\",\"atomic_attack_guid\":\"6657864e-0323-4206-9344-ac9cd7265a4f\",\"atomic_attack_name\":\"Create a new user in a command prompt\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1136.001\",\"atomic_attack_guid\":\"fda74566-a604-4581-a4cc-fbbe21d66559\",\"atomic_attack_name\":\"Create a new Windows admin user\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"User Added to Local Administrators Group\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"},{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Net Localgroup Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/\"}]},{\"tech_id\":\"T1136.001\",\"atomic_attack_guid\":\"2170d9b5-bacd-4819-a952-da76dae0815f\",\"atomic_attack_name\":\"Create a new Windows admin user via .NET\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1136.002\",\"atomic_attack_guid\":\"fcec2963-9951-4173-9bfa-98d8b7834e62\",\"atomic_attack_name\":\"Create a new Windows domain admin user\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Domain Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/\"},{\"rule_name\":\"Elevated Group Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/a23a0e20-0b1b-4a07-82e5-ec5f70811e7a/\"}]},{\"tech_id\":\"T1136.002\",\"atomic_attack_guid\":\"dc7726d2-8ccb-4cc6-af22-0d5afb53a548\",\"atomic_attack_name\":\"Create a new account similar to ANONYMOUS LOGON\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"},{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"},{\"rule_name\":\"Domain Account Discovery With Net App\",\"rule_link\":\"https://research.splunk.com/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/\"}]},{\"tech_id\":\"T1187\",\"atomic_attack_guid\":\"7f06b25c-799e-40f1-89db-999c9cc84317\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1195\",\"atomic_attack_guid\":\"82a9f001-94c5-495e-9ed5-f530dbded5e2\",\"atomic_attack_name\":\"Octopus Scanner Malware Open Source Supply Chain\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml\"},{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"},{\"rule_name\":\"Scheduled Task Creation Via Schtasks.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}]},{\"tech_id\":\"T1197\",\"atomic_attack_guid\":\"3c73d728-75fb-4180-a12f-6712864d7421\",\"atomic_attack_name\":\"Bitsadmin Download (cmd)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Download From File-Sharing Website Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To A Suspicious Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To An Uncommon Target Folder\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml\"},{\"rule_name\":\"File With Suspicious Extension Downloaded Via Bitsadmin\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml\"},{\"rule_name\":\"File Download Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"BITSAdmin Download File\",\"rule_link\":\"https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/\"}]},{\"tech_id\":\"T1197\",\"atomic_attack_guid\":\"f63b8bc4-07e5-4112-acba-56f646f3f0bc\",\"atomic_attack_name\":\"Bitsadmin Download (PowerShell)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"PowerShell Start-BitsTransfer\",\"rule_link\":\"https://research.splunk.com/endpoint/39e2605a-90d8-11eb-899e-acde48001122/\"}]},{\"tech_id\":\"T1197\",\"atomic_attack_guid\":\"afb5e09e-e385-4dee-9a94-6ee60979d114\",\"atomic_attack_name\":\"Bits download using desktopimgdownldr.exe (cmd)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Desktopimgdownldr Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"CMD Carry Out String Command Parameter\",\"rule_link\":\"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/\"}]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"46c2c362-2679-4ef5-aec9-0e958e135be4\",\"atomic_attack_name\":\"Examine domain password policy - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"},{\"rule_name\":\"Suspicious Group And Account Reconnaissance Activity Using Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Password Policy Discovery with Net\",\"rule_link\":\"https://research.splunk.com/endpoint/09336538-065a-11ec-8665-acde48001122/\"}]},{\"tech_id\":\"T1201\",\"atomic_attack_guid\":\"b2698b33-984c-4a1c-93bb-e4ba72a0babb\",\"atomic_attack_name\":\"Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Get ADDefaultDomainPasswordPolicy with Powershell\",\"rule_link\":\"https://research.splunk.com/endpoint/36e46ebe-065a-11ec-b4c7-acde48001122/\"},{\"rule_name\":\"Get ADDefaultDomainPasswordPolicy with Powershell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml\"}],\"sigma_rules\":[{\"rule_name\":\"Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml\"}]},{\"tech_id\":\"T1216\",\"atomic_attack_guid\":\"275d963d-3f36-476c-8bef-a2a3960ee6eb\",\"atomic_attack_name\":\"SyncAppvPublishingServer Signed Script PowerShell Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml\"},{\"rule_name\":\"SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows System Script Proxy Execution Syncappvpublishingserver\",\"rule_link\":\"https://research.splunk.com/endpoint/8dd73f89-682d-444c-8b41-8e679966ad3c/\"}]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"c426dacf-575d-4937-8611-a148a86a5e61\",\"atomic_attack_name\":\"mavinject - Inject DLL into running process\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Mavinject Inject DLL Into Running Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Binary Proxy Execution Mavinject DLL Injection\",\"rule_link\":\"https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/\"}]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"4cc40fd7-87b8-4b16-b2d7-57534b86b911\",\"atomic_attack_name\":\"Renamed Microsoft.Workflow.Compiler.exe Payload Executions\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Masquerading As SvcHost.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml\"},{\"rule_name\":\"Uncommon Svchost Parent Process\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml\"},{\"rule_name\":\"System File Execution Location Anomaly\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"}]},{\"tech_id\":\"T1218\",\"atomic_attack_guid\":\"0e1483ba-8f0c-425d-b8c6-42736e058eaa\",\"atomic_attack_name\":\"DiskShadow Command Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Diskshadow Script Mode Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml\"},{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Diskshadow Proxy Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/\"}]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"5cb87818-0d7c-4469-b7ef-9224107aebe8\",\"atomic_attack_name\":\"Compiled HTML Help Local Payload\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"}]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"0f8af516-9818-4172-922b-42986ef1e81d\",\"atomic_attack_name\":\"Compiled HTML Help Remote Payload\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml\"},{\"rule_name\":\"Remote CHM File Download/Execution Via HH.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"},{\"rule_name\":\"Detect HTML Help URL in Command Line\",\"rule_link\":\"https://research.splunk.com/endpoint/8c5835b9-39d9-438b-817c-95f14c69a31e/\"}]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"15756147-7470-4a83-87fb-bb5662526247\",\"atomic_attack_name\":\"Invoke CHM Shortcut Command with ITS and Help Topic\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Malicious PowerShell Process - Execution Policy Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1218.001\",\"atomic_attack_guid\":\"20cb05e0-1fa5-406d-92c1-84da4ba01813\",\"atomic_attack_name\":\"Decompile Local CHM File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml\"},{\"rule_name\":\"Suspicious HH.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"System Processes Run From Unexpected Locations\",\"rule_link\":\"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/\"},{\"rule_name\":\"Windows System Binary Proxy Execution Compiled HTML File Decompile\",\"rule_link\":\"https://research.splunk.com/endpoint/2acf0e19-4149-451c-a3f3-39cd3c77e37d/\"}]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d\",\"atomic_attack_name\":\"Msiexec.exe - Execute the DllRegisterServer function of a DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Msiexec Execute Arbitrary DLL\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MSIExec DLLRegisterServer\",\"rule_link\":\"https://research.splunk.com/endpoint/fdb59aef-d88f-4909-8369-ec2afbd2c398/\"}]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"ab09ec85-4955-4f9c-b8e0-6851baf4d47f\",\"atomic_attack_name\":\"Msiexec.exe - Execute the DllUnregisterServer function of a DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DllUnregisterServer Function Call Via Msiexec.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MSIExec Unregister DLLRegisterServer\",\"rule_link\":\"https://research.splunk.com/endpoint/a27db3c5-1a9a-46df-a577-765d3f1a3c24/\"}]},{\"tech_id\":\"T1218.007\",\"atomic_attack_guid\":\"44a4bedf-ffe3-452e-bee4-6925ab125662\",\"atomic_attack_name\":\"Msiexec.exe - Execute Remote MSI file\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Msiexec Quiet Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml\"},{\"rule_name\":\"Suspicious Msiexec Quiet Install From Remote Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MSIExec Remote Download\",\"rule_link\":\"https://research.splunk.com/endpoint/6aa49ff2-3c92-4586-83e0-d83eb693dfda/\"}]},{\"tech_id\":\"T1218.008\",\"atomic_attack_guid\":\"2430498b-06c0-4b92-a448-8ad263c388e2\",\"atomic_attack_name\":\"Odbcconf.exe - Execute Arbitrary DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New DLL Registered Via Odbcconf.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Odbcconf Hunting\",\"rule_link\":\"https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/\"},{\"rule_name\":\"Windows Odbcconf Load DLL\",\"rule_link\":\"https://research.splunk.com/endpoint/141e7fca-a9f0-40fd-a539-9aac8be41f1b/\"}]},{\"tech_id\":\"T1218.008\",\"atomic_attack_guid\":\"331ce274-f9c9-440b-9f8c-a1006e1fce0b\",\"atomic_attack_name\":\"Odbcconf.exe - Load Response File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Response File Execution Via Odbcconf.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Odbcconf Load Response File\",\"rule_link\":\"https://research.splunk.com/endpoint/1acafff9-1347-4b40-abae-f35aa4ba85c1/\"},{\"rule_name\":\"Windows Odbcconf Hunting\",\"rule_link\":\"https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/\"}]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"449aa403-6aba-47ce-8a37-247d21ef0306\",\"atomic_attack_name\":\"Regsvr32 local COM scriptlet execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Potential Regsvr32 Commandline Flag Anomaly\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Regsvr32 Application Control Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/\"}]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36\",\"atomic_attack_name\":\"Regsvr32 remote COM scriptlet execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Potential Regsvr32 Commandline Flag Anomaly\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml\"},{\"rule_name\":\"Potentially Suspicious Regsvr32 HTTP/FTP Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Regsvr32 Application Control Bypass\",\"rule_link\":\"https://research.splunk.com/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/\"}]},{\"tech_id\":\"T1218.010\",\"atomic_attack_guid\":\"1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421\",\"atomic_attack_name\":\"Regsvr32 Registering Non DLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Scripting/CommandLine Process Spawned Regsvr32\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml\"},{\"rule_name\":\"Regsvr32 DLL Execution With Suspicious File Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml\"},{\"rule_name\":\"Regsvr32 Execution From Potential Suspicious Location\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml\"},{\"rule_name\":\"Regsvr32 DLL Execution With Uncommon Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Suspicious Regsvr32 Register Suspicious Path\",\"rule_link\":\"https://research.splunk.com/endpoint/62732736-6250-11eb-ae93-0242ac130002/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"32d1cf1b-cbc2-4c09-8d05-07ec5c83a821\",\"atomic_attack_name\":\"Rundll32 execute VBscript command using Ordinal number\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Wscript Shell Run In CommandLine\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml\"},{\"rule_name\":\"DLL Call by Ordinal Via Rundll32.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml\"},{\"rule_name\":\"Mshtml.DLL RunHTMLApplication Suspicious Usage\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"RunDLL Loading DLL By Ordinal\",\"rule_link\":\"https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"d91cae26-7fc1-457b-a854-34c8aad48c89\",\"atomic_attack_name\":\"Rundll32 advpack.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - advpack\",\"rule_link\":\"https://research.splunk.com/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"5e46a58e-cbf6-45ef-a289-ed7754603df9\",\"atomic_attack_name\":\"Rundll32 ieadvpack.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - advpack\",\"rule_link\":\"https://research.splunk.com/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"41fa324a-3946-401e-bbdd-d7991c628125\",\"atomic_attack_name\":\"Rundll32 syssetup.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - syssetup\",\"rule_link\":\"https://research.splunk.com/endpoint/71b9bf37-cde1-45fb-b899-1b0aa6fa1183/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"71d771cd-d6b3-4f34-bc76-a63d47a10b19\",\"atomic_attack_name\":\"Rundll32 setupapi.dll Execution\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Rundll32 Application Control Bypass - setupapi\",\"rule_link\":\"https://research.splunk.com/endpoint/61e7b44a-6088-4f26-b788-9a96ba13b37a/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"ae3a8605-b26e-457c-b6b3-2702fd335bac\",\"atomic_attack_name\":\"Execution of non-dll using rundll32.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Rundll32 Execution With Image Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml\"},{\"rule_name\":\"Potentially Suspicious PowerShell Child Processes\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml\"},{\"rule_name\":\"Rundll32 Execution With Uncommon DLL Extension\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"},{\"rule_name\":\"Suspicious Rundll32 StartW\",\"rule_link\":\"https://research.splunk.com/endpoint/9319dda5-73f2-4d43-a85a-67ce961bddb7/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"9fd5a74b-ba89-482a-8a3e-a5feaa3697b0\",\"atomic_attack_name\":\"Rundll32 with Ordinal Value\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"DLL Call by Ordinal Via Rundll32.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml\"}],\"splunk_rules\":[{\"rule_name\":\"RunDLL Loading DLL By Ordinal\",\"rule_link\":\"https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/\"}]},{\"tech_id\":\"T1218.011\",\"atomic_attack_guid\":\"e4c04b6f-c492-4782-82c7-3bf75eb8077e\",\"atomic_attack_name\":\"Rundll32 with Control_RunDLL\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Rundll32 Activity\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Rundll32 Control RunDLL Hunt\",\"rule_link\":\"https://research.splunk.com/endpoint/c8e7ced0-10c5-11ec-8b03-acde48001122/\"}]},{\"tech_id\":\"T1219\",\"atomic_attack_guid\":\"6b8b7391-5c0a-4f8c-baee-78d8ce0ce330\",\"atomic_attack_name\":\"AnyDesk Files Detected Test on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"}]},{\"tech_id\":\"T1219\",\"atomic_attack_guid\":\"1b72b3bd-72f8-4b63-a30b-84e91b9c3578\",\"atomic_attack_name\":\"GoToAssist Files Detected Test on Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"Suspicious Invoke-WebRequest Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell\",\"rule_link\":\"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/\"}]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory OUs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows AdFind Exe\",\"rule_link\":\"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/\"}]},{\"tech_id\":\"T1482\",\"atomic_attack_guid\":\"ea1b4f2d-5b82-4006-b64f-f2845608a3bf\",\"atomic_attack_name\":\"TruffleSnout - Listing AD Infrastructure\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}]},{\"tech_id\":\"T1485\",\"atomic_attack_guid\":\"476419b5-aebf-4366-a131-ae3e8dae5fc2\",\"atomic_attack_name\":\"Windows - Overwrite file with SysInternals SDelete\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1485\",\"atomic_attack_guid\":\"1207ddff-f25b-41b3-aa0e-7c26d2b546d1\",\"atomic_attack_name\":\"ESXi - Delete VM Snapshots\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1491.001\",\"atomic_attack_guid\":\"30905f21-34f3-4504-8b4c-f7a5e314b810\",\"atomic_attack_name\":\"ESXi - Change Welcome Message on Direct Console User Interface (DCUI)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1505.004\",\"atomic_attack_guid\":\"53adbdfa-8200-490c-871c-d3b1ab3324b2\",\"atomic_attack_name\":\"Install IIS Module using AppCmd.exe\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"IIS Native-Code Module Command Line Installation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows IIS Components Add New Module\",\"rule_link\":\"https://research.splunk.com/endpoint/38fe731c-1f13-43d4-b878-a5bbe44807e3/\"}]},{\"tech_id\":\"T1518.001\",\"atomic_attack_guid\":\"e31564c8-4c60-40cd-a8f4-9261307e8336\",\"atomic_attack_name\":\"Get Windows Defender exclusion settings using WMIC\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Remote WMI Command Attempt\",\"rule_link\":\"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1529\",\"atomic_attack_guid\":\"987c9b4d-a637-42db-b1cb-e9e242c3991b\",\"atomic_attack_name\":\"ESXi - Terminates VMs using pkill\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1529\",\"atomic_attack_guid\":\"189f7d6e-9442-4160-9bc3-5e4104d93ece\",\"atomic_attack_name\":\"ESXi - Avoslocker enumerates VMs and forcefully kills VMs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1529\",\"atomic_attack_guid\":\"622cc1a0-45e7-428c-aed7-c96dd605fbe6\",\"atomic_attack_name\":\"ESXi - vim-cmd Used to Power Off VMs\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Tunneling Tool Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Protocol Tunneling with Plink\",\"rule_link\":\"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/\"}]},{\"tech_id\":\"T1531\",\"atomic_attack_guid\":\"1b99ef28-f83c-4ec5-8a08-1a56263a5bb2\",\"atomic_attack_name\":\"Change User Password - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Net.EXE Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1531\",\"atomic_attack_guid\":\"f21a1d7d-a62f-442a-8c3a-2440d43b19e5\",\"atomic_attack_name\":\"Delete User - Windows\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New User Created Via Net.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Network Connection Discovery With Net\",\"rule_link\":\"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/\"}]},{\"tech_id\":\"T1543.003\",\"atomic_attack_guid\":\"fb4151a2-db33-4f8c-b7f8-78ea8790f961\",\"atomic_attack_name\":\"Remote Service Installation CMD\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"New Service Creation Using Sc.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml\"},{\"rule_name\":\"Suspicious New Service Creation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Service Creation on Remote Endpoint\",\"rule_link\":\"https://research.splunk.com/endpoint/e0eea4fa-4274-11ec-882b-3e22fbd008af/\"},{\"rule_name\":\"Windows Service Initiation on Remote Endpoint\",\"rule_link\":\"https://research.splunk.com/endpoint/3f519894-4276-11ec-ab02-3e22fbd008af/\"},{\"rule_name\":\"Windows Remote Create Service\",\"rule_link\":\"https://research.splunk.com/endpoint/0dc44d03-8c00-482d-ba7c-796ba7ab18c9/\"}]},{\"tech_id\":\"T1546.003\",\"atomic_attack_guid\":\"29786d7e-8916-4de6-9c55-be7b093b2706\",\"atomic_attack_name\":\"Windows MOFComp.exe Load MOF File\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Suspicious Mofcomp Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows MOF Event Triggered Execution via WMI\",\"rule_link\":\"https://research.splunk.com/endpoint/e59b5a73-32bf-4467-a585-452c36ae10c1/\"}]},{\"tech_id\":\"T1548.002\",\"atomic_attack_guid\":\"f7a35090-6f7f-4f64-bb47-d657bf5b10c1\",\"atomic_attack_name\":\"Bypass UAC by Mocking Trusted Directories\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Copy From or To System Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}]},{\"tech_id\":\"T1548.002\",\"atomic_attack_guid\":\"2b61977b-ae2d-4ae4-89cb-5c36c89586be\",\"atomic_attack_name\":\"WinPwn - UAC Bypass DccwBypassUAC technique\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1550.002\",\"atomic_attack_guid\":\"ec23cef9-27d9-46e4-a68d-6f75f7b86908\",\"atomic_attack_name\":\"Mimikatz Pass the Hash\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Mimikatz Binary Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/\"}]},{\"tech_id\":\"T1550.003\",\"atomic_attack_guid\":\"dbf38128-7ba7-4776-bedf-cc2eed432098\",\"atomic_attack_name\":\"Mimikatz Kerberos Ticket Attack\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - Mimikatz Execution\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Mimikatz PassTheTicket CommandLine Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/13bbd574-83ac-11ec-99d4-acde48001122/\"}]},{\"tech_id\":\"T1552.001\",\"atomic_attack_guid\":\"b0cdacf6-8949-4ffe-9274-a9643a788e55\",\"atomic_attack_name\":\"List Credential Files via Command Prompt\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1552.004\",\"atomic_attack_guid\":\"520ce462-7ca7-441e-b5a5-f8347f632696\",\"atomic_attack_name\":\"Private Keys\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Private Keys Reconnaissance Via CommandLine Tools\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml\"},{\"rule_name\":\"File And SubFolder Enumeration Via Dir Command\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Private Keys Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/5c1c2877-06c0-40ee-a1a2-db71f1372b5b/\"}]},{\"tech_id\":\"T1552.006\",\"atomic_attack_guid\":\"870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f\",\"atomic_attack_name\":\"GPP Passwords (findstr)\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Password Reconnaissance Via Findstr.EXE\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml\"},{\"rule_name\":\"Findstr GPP Passwords\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"},{\"rule_name\":\"Windows Findstr GPP Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/1631ac2d-f2a9-42fa-8a59-d6e210d472f5/\"}]},{\"tech_id\":\"T1555.003\",\"atomic_attack_guid\":\"e5e3d639-6ea8-4408-9ecd-d5a286268ca0\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1555.004\",\"atomic_attack_guid\":\"fa714db1-63dd-479e-a58e-7b2b52ca5997\",\"atomic_attack_name\":\"WinPwn - Loot local Credentials - Invoke-WCMDump\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1558.003\",\"atomic_attack_guid\":\"14625569-6def-4497-99ac-8e7817105b55\",\"atomic_attack_name\":\"Rubeus kerberoast\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Rubeus Command Line Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/cca37478-8377-11ec-b59a-acde48001122/\"},{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1558.003\",\"atomic_attack_guid\":\"e6f4affd-d826-4871-9a62-6c9004b8fe06\",\"atomic_attack_name\":\"Extract all accounts in use as SPN using setspn\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"ServicePrincipalNames Discovery with SetSPN\",\"rule_link\":\"https://research.splunk.com/endpoint/ae8b3efc-2d2e-11ec-8b57-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1558.003\",\"atomic_attack_guid\":\"29094950-2c96-4cbd-b5e4-f7c65079678f\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1558.004\",\"atomic_attack_guid\":\"615bd568-2859-41b5-9aed-61f6a88e48dd\",\"atomic_attack_name\":\"Rubeus asreproast\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Rubeus Command Line Parameters\",\"rule_link\":\"https://research.splunk.com/endpoint/cca37478-8377-11ec-b59a-acde48001122/\"},{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1558.004\",\"atomic_attack_guid\":\"8c385f88-4d47-4c9a-814d-93d9deec8c71\",\"atomic_attack_name\":\"WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Download and Execution Cradles\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"PowerShell Web Download\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Any Powershell DownloadString\",\"rule_link\":\"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/\"}]},{\"tech_id\":\"T1560.001\",\"atomic_attack_guid\":\"d1334303-59cb-4a03-8313-b3e24d02c198\",\"atomic_attack_name\":\"Compress Data and lock with password for Exfiltration with 7zip\",\"platform\":\"Windows\",\"splunk_rules\":[{\"rule_name\":\"Windows Password Managers Discovery\",\"rule_link\":\"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1562.001\",\"atomic_attack_guid\":\"871438ac-7d6e-432a-b27d-3e7db69faf58\",\"atomic_attack_name\":\"Disable Windows Defender with DISM\",\"platform\":\"Windows\",\"sigma_rules\":[{\"rule_name\":\"Dism Remove Online Package\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows DISM Remove Defender\",\"rule_link\":\"https://research.splunk.com/endpoint/8567da9e-47f0-11ec-99a9-acde48001122/\"}]},{\"tech_id\":\"T1001.002\",\"atomic_attack_guid\":\"4ff61684-ad91-405c-9fbc-048354ff1d07\",\"atomic_attack_name\":\"Execute Embedded Script in Image via Steganography\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Linux Base64 Encoded Pipe to Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml\"},{\"rule_name\":\"Linux Shell Pipe to Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"7e91138a-8e74-456d-a007-973d67a0bb80\",\"atomic_attack_name\":\"Dump individual process memory with sh (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"fa37b633-e097-4415-b2b8-c5bf4c86e423\",\"atomic_attack_name\":\"Dump individual process memory with sh on FreeBSD (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"437b2003-a20d-4ed8-834c-4964f24eec63\",\"atomic_attack_name\":\"Dump individual process memory with Python (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.008\",\"atomic_attack_guid\":\"3723ab77-c546-403c-8fb4-bb577033b235\",\"atomic_attack_name\":\"Access /etc/shadow (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.008\",\"atomic_attack_guid\":\"60e860b6-8ae6-49db-ad07-5e73edd88f5d\",\"atomic_attack_name\":\"Access /etc/passwd (Local)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"158bd4dd-6359-40ab-b13c-285b9ef6fa25\",\"atomic_attack_name\":\"Remote System Discovery - ip neighbour\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - Linux\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"atomic_attack_guid\":\"1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1\",\"atomic_attack_name\":\"Remote System Discovery - ip route\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"System Network Discovery - Linux\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.001\",\"atomic_attack_guid\":\"ffe2346c-abd5-4b45-a713-bf5f1ebd573a\",\"atomic_attack_name\":\"Pad Binary to Change Hash - Linux/macOS dd\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.002\",\"atomic_attack_guid\":\"11c46cd8-e471-450e-acb8-52a1216ae6a4\",\"atomic_attack_name\":\"Binary simply packed by UPX (linux)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.002\",\"atomic_attack_guid\":\"f06197f8-ff46-48c2-a0c6-afc1b50665e1\",\"atomic_attack_name\":\"Binary packed by UPX, with modified headers (linux)\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1030\",\"atomic_attack_guid\":\"ab936c51-10f4-46ce-9144-e02137b2016a\",\"atomic_attack_name\":\"Data Transfer Size Limits\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"atomic_attack_guid\":\"a315bfff-7a98-403b-b442-2ea1b255e556\",\"atomic_attack_name\":\"Masquerading as FreeBSD or Linux crond process.\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"f0e3aaea-5cd9-4db6-a077-631dd19b27a8\",\"atomic_attack_name\":\"linux rename /proc/pid/comm using prctl\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.004\",\"atomic_attack_guid\":\"ad4b73c2-d6e2-4d8b-9868-4c6f55906e01\",\"atomic_attack_name\":\"Hiding a malicious process with bind mounts\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"7fe741f7-b265-4951-a7c7-320889083b3e\",\"atomic_attack_name\":\"Packet Capture Linux using tshark or tcpdump\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"c93f2492-9ebe-44b5-8b45-36574cccfe67\",\"atomic_attack_name\":\"Packet Capture FreeBSD using tshark or tcpdump\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.007\",\"atomic_attack_guid\":\"a27418de-bdce-4ebd-b655-38f04842bf0c\",\"atomic_attack_name\":\"Capture Passwords with MimiPenguin\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1005\",\"atomic_attack_guid\":\"00cbb875-7ae4-4cf1-b638-e543fd825300\",\"atomic_attack_name\":\"Find and dump sqlite databases (Linux)\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1014\",\"atomic_attack_guid\":\"dfb50072-e45a-4c75-a17e-a484809c8553\",\"atomic_attack_name\":\"Loadable Kernel Module based Rootkit\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"},{\"rule_name\":\"Linux Insert Kernel Module Using Insmod Utility\",\"rule_link\":\"https://research.splunk.com/endpoint/18b5a1a0-6326-11ec-943a-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1014\",\"atomic_attack_guid\":\"75483ef8-f10f-444a-bf02-62eb0e48db6f\",\"atomic_attack_name\":\"Loadable Kernel Module based Rootkit\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1027\",\"atomic_attack_guid\":\"f45df6be-2e1e-4136-a384-8f18ab3826fb\",\"atomic_attack_name\":\"Decode base64 Data into Script\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}]},{\"tech_id\":\"T1036.005\",\"atomic_attack_guid\":\"812c3ab8-94b0-4698-a9bf-9420af23ce24\",\"atomic_attack_name\":\"Execute a process from a directory masquerading as the current parent directory.\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Windows Command and Scripting Interpreter Hunting Path Traversal\",\"rule_link\":\"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1036.006\",\"atomic_attack_guid\":\"b95ce2eb-a093-4cd8-938d-5258cef656ea\",\"atomic_attack_name\":\"Space After Filename\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1037.004\",\"atomic_attack_guid\":\"c33f3d80-5f04-419b-a13a-854d1cbdbf3a\",\"atomic_attack_name\":\"rc.common\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1037.004\",\"atomic_attack_guid\":\"126f71af-e1c9-405c-94ef-26a47b16c102\",\"atomic_attack_name\":\"rc.local\",\"platform\":\"Linux\",\"splunk_rules\":[{\"rule_name\":\"Linux Common Process For Elevation Control\",\"rule_link\":\"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/\"}],\"sigma_rules\":[]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"e2028771-1bfb-48f5-b5e6-e50ee0942a14\",\"atomic_attack_name\":\"Packet Capture FreeBSD using /dev/bpfN with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"a3a0d4c9-c068-4563-a08d-583bd05b884c\",\"atomic_attack_name\":\"Filtered Packet Capture FreeBSD using /dev/bpfN with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Bash Interactive Shell\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"10c710c9-9104-4d5f-8829-5b65391e2a29\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"7a0895f0-84c1-4adf-8491-a21510b1d4c1\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"515575ab-d213-42b1-aa64-ef6a2dd4641b\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1040\",\"atomic_attack_guid\":\"b1cbdf8b-6078-48f5-a890-11ea19d7f8e9\",\"atomic_attack_name\":\"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\",\"platform\":\"Linux\",\"sigma_rules\":[{\"rule_name\":\"Execution Of Script Located In Potentially Suspicious Directory\",\"rule_link\":\"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Linux Sudo OR Su Execution\",\"rule_link\":\"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/\"}]},{\"tech_id\":\"T1033\",\"test_number\":3,\"atomic_attack_guid\":\"29857f27-a36f-4f7e-8084-4557cd6207ca\",\"atomic_attack_name\":\"Find computers where user has session - Stealth mode (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1033\",\"test_number\":4,\"atomic_attack_guid\":\"dcb6cdee-1fb0-4087-8bf8-88cfd136ba51\",\"atomic_attack_name\":\"User Discovery With Env Vars PowerShell Script\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Get Current User\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml\"},{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1033\",\"test_number\":6,\"atomic_attack_guid\":\"3d257a03-eb80-41c5-b744-bb37ac7f65c7\",\"atomic_attack_name\":\"System Discovery - SocGholish whoami\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"},{\"rule_name\":\"Enumerate All Information With Whoami.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1033\",\"test_number\":7,\"atomic_attack_guid\":\"ba38e193-37a6-4c41-b214-61b33277fe36\",\"atomic_attack_name\":\"System Owner/User Discovery Using Command Prompt\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Whoami Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"User Discovery With Env Vars PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml\"}]},{\"tech_id\":\"T1003\",\"test_number\":2,\"atomic_attack_guid\":\"9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6\",\"atomic_attack_name\":\"Credential Dumping with NPPSpy\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Credential Dumping Attempt Using New NetworkProvider - CLI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":3,\"atomic_attack_guid\":\"7ae7102c-a099-45c8-b985-4c7a2d05790d\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using direct system calls and API unhooking\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":5,\"atomic_attack_guid\":\"dea6c349-f1c6-44f3-87a1-1ed33a59a607\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using Windows Task Manager\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":7,\"atomic_attack_guid\":\"c37bc535-5c62-4195-9cc3-0517673171d8\",\"atomic_attack_name\":\"LSASS read with pypykatz\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":8,\"atomic_attack_guid\":\"6502c8f0-b775-4dbd-9193-1298f56b6781\",\"atomic_attack_name\":\"Dump LSASS.exe Memory using Out-Minidump.ps1\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":11,\"atomic_attack_guid\":\"9d0072c8-7cca-45c4-bd14-f852cfa35cf0\",\"atomic_attack_name\":\"Dump LSASS with createdump.exe from .Net v5\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Renamed CreateDump Utility Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1003.001\",\"test_number\":13,\"atomic_attack_guid\":\"47a539d1-61b9-4364-bf49-a68bc2a95ef0\",\"atomic_attack_name\":\"Dump LSASS.exe using lolbin rdrleakdiag.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get-Process LSASS in ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml\"},{\"rule_name\":\"Mimikatz Use\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\"},{\"rule_name\":\"LSASS Dump Keyword In CommandLine\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml\"},{\"rule_name\":\"Process Memory Dump via RdrLeakDiag.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Create Remote Thread into LSASS\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/create_remote_thread_into_lsass.yml\"}]},{\"tech_id\":\"T1003.002\",\"test_number\":6,\"atomic_attack_guid\":\"9d77fed7-05f8-476e-a81b-8ff0472c64d0\",\"atomic_attack_name\":\"dump volume shadow copy hives with System.IO.File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Copying Sensitive Files with Credential Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml\"},{\"rule_name\":\"PowerShell SAM Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Detect Copy of ShadowCopy with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml\"}]},{\"tech_id\":\"T1003.002\",\"test_number\":7,\"atomic_attack_guid\":\"0c0f5f06-166a-4f4d-bb4a-719df9a01dbb\",\"atomic_attack_name\":\"WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Detect Copy of ShadowCopy with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml\"}]},{\"tech_id\":\"T1003.002\",\"test_number\":8,\"atomic_attack_guid\":\"21df41be-cdd8-4695-a650-c3981113aa3c\",\"atomic_attack_name\":\"Dumping of SAM, creds, and secrets(Reg Export)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Dumping of Sensitive Hives Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1005\",\"test_number\":1,\"atomic_attack_guid\":\"d3d9af44-b8ad-4375-8b0a-4bff4b7e419c\",\"atomic_attack_name\":\"Search files of interest and save them to a single zip file (Windows)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1006\",\"test_number\":1,\"atomic_attack_guid\":\"88f6327e-51ec-4bbf-b2e8-3fea534eab8b\",\"atomic_attack_name\":\"Read volume boot sector via DOS device path (PowerShell)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Defense Evasion Via Raw Disk Access By Uncommon Tools\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1012\",\"test_number\":1,\"atomic_attack_guid\":\"8f7578c4-9863-4d83-875c-a565573bbdf0\",\"atomic_attack_name\":\"Query Registry\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Configuration And Service Reconnaissance Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"test_number\":2,\"atomic_attack_guid\":\"038263cb-00f4-4b0a-98ae-0696c67e1752\",\"atomic_attack_name\":\"List Windows Firewall Rules\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Firewall Configuration Discovery Via Netsh.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1016\",\"test_number\":7,\"atomic_attack_guid\":\"121de5c6-5818-4868-b8a7-8fd07c455c1b\",\"atomic_attack_name\":\"Qakbot Recon\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Network Command\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":5,\"atomic_attack_guid\":\"2d5a61f5-0447-4be4-944a-1f8530ed6574\",\"atomic_attack_name\":\"Remote System Discovery - arp\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":8,\"atomic_attack_guid\":\"baa01aaa-5e13-45ec-8a0d-e46c93c9760f\",\"atomic_attack_name\":\"Remote System Discovery - nslookup\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Suspicious Scan Loop Network\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":9,\"atomic_attack_guid\":\"95e19466-469e-4316-86d2-1dc401b5a959\",\"atomic_attack_name\":\"Remote System Discovery - adidnsdump\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":11,\"atomic_attack_guid\":\"5838c31e-a0e2-4b9f-b60a-d79d2cb7995e\",\"atomic_attack_name\":\"Adfind - Enumerate Active Directory Domain Controller Objects\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":16,\"atomic_attack_guid\":\"962a6017-1c09-45a6-880b-adc9c57cb22e\",\"atomic_attack_name\":\"Enumerate domain computers within Active Directory using DirectorySearcher\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"DirectorySearcher Powershell Exploitation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml\"},{\"rule_name\":\"Renamed AdFind Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml\"},{\"rule_name\":\"PUA - AdFind Suspicious Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1018\",\"test_number\":19,\"atomic_attack_guid\":\"b9d2e8ca-5520-4737-8076-4f08913da2c4\",\"atomic_attack_name\":\"Get-DomainController with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainComputer with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml\"},{\"rule_name\":\"Windows PowerView Unconstrained Delegation Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml\"},{\"rule_name\":\"GetDomainController with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1020\",\"test_number\":1,\"atomic_attack_guid\":\"9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0\",\"atomic_attack_name\":\"IcedID Botnet HTTP PUT\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Script With File Upload Capabilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1020\",\"test_number\":2,\"atomic_attack_guid\":\"5b380e96-b0ef-4072-8a8e-f194cb9eb9ac\",\"atomic_attack_name\":\"Exfiltration via Encrypted FTP\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Script With File Upload Capabilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"test_number\":1,\"atomic_attack_guid\":\"355d4632-8cb9-449d-91ce-b566d0253d3e\",\"atomic_attack_name\":\"RDP to DomainController\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"},{\"rule_name\":\"New Remote Desktop Connection Initiated Via Mstsc.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.001\",\"test_number\":2,\"atomic_attack_guid\":\"2f840dd4-8a2e-4f44-beb3-6b2399ea3771\",\"atomic_attack_name\":\"Changing RDP Port to Non Standard Port via Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Publicly Accessible RDP Service\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Allow Inbound Traffic In Firewall Rule\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml\"}]},{\"tech_id\":\"T1021.002\",\"test_number\":2,\"atomic_attack_guid\":\"514e9cd7-9207-4882-98b1-c8f791bae3c5\",\"atomic_attack_name\":\"Map Admin Share PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious New-PSDrive to Admin Share\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.006\",\"test_number\":1,\"atomic_attack_guid\":\"9059e8de-3d7d-4954-a322-46161880b9cf\",\"atomic_attack_name\":\"Enable Windows Remote Management\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Enable Windows Remote Management\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1021.006\",\"test_number\":2,\"atomic_attack_guid\":\"5295bd61-bd7e-4744-9d52-85962a4cf2d6\",\"atomic_attack_name\":\"Remote Code Execution with PS Credentials Using Invoke-Command\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Execute Invoke-command on Remote Host\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml\"},{\"rule_name\":\"Enable Windows Remote Management\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Remote Process Instantiation via WinRM and PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml\"}]},{\"tech_id\":\"T1027\",\"test_number\":3,\"atomic_attack_guid\":\"450e7218-7915-4be4-8b9b-464a49eafcec\",\"atomic_attack_name\":\"Execute base64-encoded PowerShell from Windows Registry\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Base64 Encoded PowerShell Command Detected\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Powershell Fileless Script Contains Base64 Encoded Content\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\"}]},{\"tech_id\":\"T1027\",\"test_number\":7,\"atomic_attack_guid\":\"8b3f4ed6-077b-4bdd-891c-2d237f19410f\",\"atomic_attack_name\":\"Obfuscated Command in PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential PowerShell Command Line Obfuscation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1027.004\",\"test_number\":1,\"atomic_attack_guid\":\"ffcdbd6a-b0e8-487d-927a-09127fe9a206\",\"atomic_attack_name\":\"Compile After Delivery using csc.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Csc.EXE Execution Form Potentially Suspicious Parent\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"test_number\":6,\"atomic_attack_guid\":\"bc15c13f-d121-4b1f-8c7d-28d95854d086\",\"atomic_attack_name\":\"Masquerading - non-windows exe running as windows exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Start-Process PassThru\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.003\",\"test_number\":7,\"atomic_attack_guid\":\"c3d24a39-2bfe-4c6a-b064-90cd73896cb0\",\"atomic_attack_name\":\"Masquerading - windows exe running as different windows exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Defense Evasion Via Binary Rename\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1036.005\",\"test_number\":2,\"atomic_attack_guid\":\"35eb8d16-9820-4423-a2a1-90c4f5edd9ca\",\"atomic_attack_name\":\"Masquerade as a built-in system executable\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Files With System Process Name In Unsuspected Locations\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1040\",\"test_number\":16,\"atomic_attack_guid\":\"9c15a7de-de14-46c3-bc2a-6d94130986ae\",\"atomic_attack_name\":\"PowerShell Network Sniffing\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":5,\"atomic_attack_guid\":\"54574908-f1de-4356-9021-8053dd57439a\",\"atomic_attack_name\":\"WinPwn - spoolvulnscan\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":6,\"atomic_attack_guid\":\"97585b04-5be2-40e9-8c31-82157b8af2d6\",\"atomic_attack_name\":\"WinPwn - MS17-10\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":7,\"atomic_attack_guid\":\"1cca5640-32a9-46e6-b8e0-fabbe2384a73\",\"atomic_attack_name\":\"WinPwn - bluekeep\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1046\",\"test_number\":8,\"atomic_attack_guid\":\"bb037826-cbe8-4a41-93ea-b94059d6bb98\",\"atomic_attack_name\":\"WinPwn - fruit\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1048\",\"test_number\":3,\"atomic_attack_guid\":\"c943d285-ada3-45ca-b3aa-7cd6500c6a48\",\"atomic_attack_name\":\"DNSExfiltration (doh)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell DNSExfiltration\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1048.003\",\"test_number\":2,\"atomic_attack_guid\":\"dd4b4421-2e25-4593-90ae-7021947ad12e\",\"atomic_attack_name\":\"Exfiltration Over Alternative Protocol - ICMP\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell ICMP Exfiltration\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1049\",\"test_number\":1,\"atomic_attack_guid\":\"0940a971-809a-48f1-9c4d-b1d785e96ee5\",\"atomic_attack_name\":\"System Network Connections Discovery\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"System Network Connections Discovery Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1049\",\"test_number\":3,\"atomic_attack_guid\":\"b52c8233-8f71-4bd7-9928-49fec8215cf5\",\"atomic_attack_name\":\"System Network Connections Discovery via PowerShell (Process Mapping)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Use Get-NetTCPConnection - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1049\",\"test_number\":7,\"atomic_attack_guid\":\"96f974bb-a0da-4d87-a744-ff33e73367e9\",\"atomic_attack_name\":\"System Discovery using SharpView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetNetTcpconnection with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":4,\"atomic_attack_guid\":\"af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd\",\"atomic_attack_name\":\"Powershell Cmdlet Scheduled Task\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":5,\"atomic_attack_guid\":\"ecd3fa21-7792-41a2-8726-2c5c673414d3\",\"atomic_attack_name\":\"Task Scheduler via VBA\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":6,\"atomic_attack_guid\":\"e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b\",\"atomic_attack_name\":\"WMI Invoke-CimMethod Scheduled Task\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":8,\"atomic_attack_guid\":\"cd925593-fbb4-486d-8def-16cbdf944bf4\",\"atomic_attack_name\":\"Import XML Schedule Task with Hidden Attribute\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":9,\"atomic_attack_guid\":\"dda6fc7b-c9a6-4c18-b98d-95ec6542af6d\",\"atomic_attack_name\":\"PowerShell Modify A Scheduled Task\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Create Scheduled Task\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":11,\"atomic_attack_guid\":\"8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2\",\"atomic_attack_name\":\"Scheduled Task Persistence via CompMgmt.msc\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1053.005\",\"test_number\":12,\"atomic_attack_guid\":\"02124c37-767e-4b76-9383-c9fc366d9d4c\",\"atomic_attack_name\":\"Scheduled Task Persistence via Eventviewer.msc\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"}]},{\"tech_id\":\"T1055.001\",\"test_number\":1,\"atomic_attack_guid\":\"74496461-11a1-4982-b439-4d87a550d254\",\"atomic_attack_name\":\"Process Injection via mavinject.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Renamed Mavinject.EXE Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml\"},{\"rule_name\":\"Mavinject Inject DLL Into Running Process\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1055.002\",\"test_number\":1,\"atomic_attack_guid\":\"578025d5-faa9-4f6d-8390-aae739d503e1\",\"atomic_attack_name\":\"Portable Executable Injection\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Windows Process Injection Remote Thread\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_process_injection_remote_thread.yml\"}]},{\"tech_id\":\"T1057\",\"test_number\":3,\"atomic_attack_guid\":\"3b3809b6-a54b-4f5b-8aff-cb51f2e97b34\",\"atomic_attack_name\":\"Process Discovery - Get-Process\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Process Discovery With Get-Process\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.001\",\"test_number\":2,\"atomic_attack_guid\":\"a21bb23e-e677-4ee7-af90-6931b57b6350\",\"atomic_attack_name\":\"Run BloodHound from local disk\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - Bloodhound/Sharphound Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":3,\"atomic_attack_guid\":\"bf8c1441-4674-4dab-8e4e-39d93d08f9b7\",\"atomic_attack_name\":\"Run Bloodhound from Memory using Download Cradle\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious PowerShell Invocations - Specific\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml\"},{\"rule_name\":\"Suspicious PowerShell Invocations - Specific - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Suspicious PowerShell Download and Execute Pattern\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml\"},{\"rule_name\":\"PowerShell Download Pattern\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml\"},{\"rule_name\":\"HackTool - Bloodhound/Sharphound Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Fileless Script Contains Base64 Encoded Content\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Windows PowerShell Script Block With Malicious String\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":7,\"atomic_attack_guid\":\"4396927f-e503-427b-b023-31049b9b09a6\",\"atomic_attack_name\":\"Powershell XML requests\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":9,\"atomic_attack_guid\":\"cc50fa2a-a4be-42af-a88f-e347ba0bf4d7\",\"atomic_attack_name\":\"Powershell Invoke-DownloadCradle\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":10,\"atomic_attack_guid\":\"fa050f5e-bc75-4230-af73-b6fd7852cd73\",\"atomic_attack_name\":\"PowerShell Fileless Script Execution\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"},{\"rule_name\":\"Base64 Encoded PowerShell Command Detected\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":11,\"atomic_attack_guid\":\"8e5c5532-1181-4c1d-bb79-b3a9f5dbd680\",\"atomic_attack_name\":\"NTFS Alternate Data Stream Access\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"NTFS Alternate Data Stream\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":12,\"atomic_attack_guid\":\"7c1acec2-78fa-4305-a3e0-db2a54cddecd\",\"atomic_attack_name\":\"PowerShell Session Creation and Use\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Remote Session Creation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.001\",\"test_number\":19,\"atomic_attack_guid\":\"1289f78d-22d2-4590-ac76-166737e1811b\",\"atomic_attack_name\":\"PowerUp Invoke-AllChecks\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml\"},{\"rule_name\":\"Malicious PowerShell Scripts - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"},{\"rule_name\":\"Usage Of Web Request Commands And Cmdlets\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1059.001\",\"test_number\":20,\"atomic_attack_guid\":\"999bff6d-dc15-44c9-9f5c-e1051bfc86e1\",\"atomic_attack_name\":\"Abuse Nslookup with DNS Records\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Non Interactive PowerShell Process Spawned\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml\"},{\"rule_name\":\"Windows Shell/Scripting Processes Spawning Suspicious Programs\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows PowerShell ScheduleTask\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml\"},{\"rule_name\":\"PowerShell 4104 Hunting\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml\"},{\"rule_name\":\"Powershell Creating Thread Mutex\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml\"},{\"rule_name\":\"PowerShell Loading DotNET into Memory via Reflection\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\"},{\"rule_name\":\"Powershell Using memory As Backing Store\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml\"},{\"rule_name\":\"Powershell Processing Stream Of Data\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml\"},{\"rule_name\":\"PowerShell WebRequest Using Memory Stream\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml\"}]},{\"tech_id\":\"T1059.003\",\"test_number\":1,\"atomic_attack_guid\":\"9e8894c0-50bd-4525-a96c-d4ac78ece388\",\"atomic_attack_name\":\"Create and Execute Batch Script\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Execute Batch Script\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.001\",\"test_number\":3,\"atomic_attack_guid\":\"a580462d-2c19-4bc7-8b9a-57a41b7d3ba4\",\"atomic_attack_name\":\"Permission Groups Discovery PowerShell (Local)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Get Local Groups Information - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml\"},{\"rule_name\":\"Suspicious Get Local Groups Information\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Powershell Get LocalGroup Discovery with Script Block Logging\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":1,\"atomic_attack_guid\":\"dd66d77d-8998-48c0-8024-df263dc2ce5d\",\"atomic_attack_name\":\"Basic Permission Groups Discovery Windows (Domain)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"test_number\":3,\"atomic_attack_guid\":\"0afb5163-8181-432e-9405-4322710c0c37\",\"atomic_attack_name\":\"Elevated group enumeration using net group (Domain)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"test_number\":4,\"atomic_attack_guid\":\"a2d71eee-a353-4232-9f86-54f4288dd8c1\",\"atomic_attack_name\":\"Find machines where user has local admin access (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":5,\"atomic_attack_guid\":\"a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd\",\"atomic_attack_name\":\"Find local admins on all machines in domain (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":6,\"atomic_attack_guid\":\"64fdb43b-5259-467a-b000-1b02c00e510a\",\"atomic_attack_name\":\"Find Local Admins via Group Policy (PowerView)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":7,\"atomic_attack_guid\":\"870ba71e-6858-4f6d-895c-bb6237f6121b\",\"atomic_attack_name\":\"Enumerate Users Not Requiring Pre Auth (ASRepRoast)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1069.002\",\"test_number\":12,\"atomic_attack_guid\":\"46352f40-f283-4fe5-b56d-d9a71750e145\",\"atomic_attack_name\":\"Get-DomainGroupMember with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":13,\"atomic_attack_guid\":\"5a8a181c-2c8e-478d-a943-549305a01230\",\"atomic_attack_name\":\"Get-DomainGroup with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetDomainGroup with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml\"},{\"rule_name\":\"Elevated Group Discovery with PowerView\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml\"}]},{\"tech_id\":\"T1069.002\",\"test_number\":14,\"atomic_attack_guid\":\"22cf8cb9-adb1-4e8c-80ca-7c723dfc8784\",\"atomic_attack_name\":\"Active Directory Enumeration with LDIFDE\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070\",\"test_number\":2,\"atomic_attack_guid\":\"96e86706-6afd-45b6-95d6-108d23eaf2e9\",\"atomic_attack_name\":\"Indicator Manipulation using FSUtil\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Fsutil Suspicious Invocation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.001\",\"test_number\":2,\"atomic_attack_guid\":\"b13e9306-3351-4b4b-a6e8-477358b0b498\",\"atomic_attack_name\":\"Delete System Logs Using Clear-EventLog\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Eventlog Clearing or Configuration Change Activity\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":11,\"atomic_attack_guid\":\"2f898b81-3e97-4abb-bc3f-a95138988370\",\"atomic_attack_name\":\"Prevent Powershell History Logging\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":12,\"atomic_attack_guid\":\"da75ae8d-26d6-4483-b0fe-700e4df4f037\",\"atomic_attack_name\":\"Clear Powershell History by Deleting History File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clearing Windows Console History\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":13,\"atomic_attack_guid\":\"1d0d9aa6-6111-4f89-927b-53e8afae7f94\",\"atomic_attack_name\":\"Set Custom AddToHistoryHandler to Avoid History File Logging\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.003\",\"test_number\":14,\"atomic_attack_guid\":\"22c779cd-9445-4d3e-a136-f75adbf0315f\",\"atomic_attack_name\":\"Clear PowerShell Session History\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Linux Command History Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml\"},{\"rule_name\":\"Clearing Windows Console History\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml\"},{\"rule_name\":\"Clear PowerShell History - PowerShell Module\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"test_number\":6,\"atomic_attack_guid\":\"9dee89bd-9a98-4c4f-9e2d-4256690b0e72\",\"atomic_attack_name\":\"Delete a single file - Windows PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"test_number\":7,\"atomic_attack_guid\":\"edd779e4-a509-4cba-8dfa-a112543dbfb1\",\"atomic_attack_name\":\"Delete an entire folder - Windows PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.004\",\"test_number\":10,\"atomic_attack_guid\":\"69f50a5f-967c-4327-a5bb-e1a9a9983785\",\"atomic_attack_name\":\"Delete TeamViewer Log Files\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco File Deletion\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"test_number\":3,\"atomic_attack_guid\":\"0512d214-9512-4d22-bde7-f37e058259b3\",\"atomic_attack_name\":\"Remove Network Share PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Deleted Mounted Share\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.005\",\"test_number\":5,\"atomic_attack_guid\":\"4299eff5-90f1-4446-b2f3-7f4f5cfd5d62\",\"atomic_attack_name\":\"Remove Administrative Shares\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Unmount Share Via Net.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.006\",\"test_number\":5,\"atomic_attack_guid\":\"b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c\",\"atomic_attack_name\":\"Windows - Modify file creation timestamp with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Timestomp\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.006\",\"test_number\":6,\"atomic_attack_guid\":\"f8f6634d-93e1-4238-8510-f8a90a20dcf2\",\"atomic_attack_name\":\"Windows - Modify file last modified timestamp with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Timestomp\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1070.006\",\"test_number\":7,\"atomic_attack_guid\":\"da627f63-b9bd-4431-b6f8-c5b44d061a62\",\"atomic_attack_name\":\"Windows - Modify file last access timestamp with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Timestomp\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1071.001\",\"test_number\":1,\"atomic_attack_guid\":\"81c13829-f6c9-45b8-85a6-053366d55297\",\"atomic_attack_name\":\"Malicious User Agents - Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Change User Agents with WebRequest\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":14,\"atomic_attack_guid\":\"eea1d918-825e-47dd-acc2-814d6c58c0e1\",\"atomic_attack_name\":\"WinPwn - winPEAS\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":15,\"atomic_attack_guid\":\"3d256a2f-5e57-4003-8eb6-64d91b1da7ce\",\"atomic_attack_name\":\"WinPwn - itm4nprivesc\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":16,\"atomic_attack_guid\":\"345cb8e4-d2de-4011-a580-619cf5a9e2d7\",\"atomic_attack_name\":\"WinPwn - Powersploits privesc checks\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":17,\"atomic_attack_guid\":\"5b6f39a2-6ec7-4783-a5fd-2c54a55409ed\",\"atomic_attack_name\":\"WinPwn - General privesc checks\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":18,\"atomic_attack_guid\":\"7804659b-fdbf-4cf6-b06a-c03e758590e8\",\"atomic_attack_name\":\"WinPwn - GeneralRecon\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"},{\"rule_name\":\"Suspicious Execution of Systeminfo\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":19,\"atomic_attack_guid\":\"3278b2f6-f733-4875-9ef4-bfed34244f0a\",\"atomic_attack_name\":\"WinPwn - Morerecon\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":20,\"atomic_attack_guid\":\"dec6a0d8-bcaf-4c22-9d48-2aee59fb692b\",\"atomic_attack_name\":\"WinPwn - RBCD-Check\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - WinPwn Execution - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml\"},{\"rule_name\":\"HackTool - WinPwn Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1082\",\"test_number\":27,\"atomic_attack_guid\":\"8851b73a-3624-4bf7-8704-aa312411565c\",\"atomic_attack_name\":\"System Information Discovery with WMIC\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Uncommon System Information Discovery Via Wmic.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":2,\"atomic_attack_guid\":\"2158908e-b7ef-4c21-8a83-3ce4dd05a924\",\"atomic_attack_name\":\"File and Directory Discovery (PowerShell)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":5,\"atomic_attack_guid\":\"c6c34f61-1c3e-40fb-8a58-d017d88286d8\",\"atomic_attack_name\":\"Simulating MAZE Directory Enumeration\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"},{\"rule_name\":\"Powershell Directory Enumeration\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":6,\"atomic_attack_guid\":\"c5bec457-43c9-4a18-9a24-fe151d8971b7\",\"atomic_attack_name\":\"Launch DirLister Executable\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1083\",\"test_number\":9,\"atomic_attack_guid\":\"95a21323-770d-434c-80cd-6f6fbf7af432\",\"atomic_attack_name\":\"Recursive Enumerate Files And Directories By Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.001\",\"test_number\":8,\"atomic_attack_guid\":\"80887bec-5a9b-4efc-a81d-f83eb2eb32ab\",\"atomic_attack_name\":\"Enumerate all accounts on Windows (Local)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.001\",\"test_number\":9,\"atomic_attack_guid\":\"ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b\",\"atomic_attack_name\":\"Enumerate all accounts via PowerShell (Local)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Collect Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml\"},{\"rule_name\":\"Local Accounts Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml\"}],\"splunk_rules\":[{\"rule_name\":\"GetLocalUser with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getlocaluser_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1087.002\",\"test_number\":2,\"atomic_attack_guid\":\"8b8a6449-be98-4f42-afd2-dedddc7453b2\",\"atomic_attack_name\":\"Enumerate all accounts via PowerShell (Domain)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":10,\"atomic_attack_guid\":\"46f8dbe9-22a5-4770-8513-66119c5be63b\",\"atomic_attack_name\":\"Enumerate Active Directory for Unconstrained Delegation\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":11,\"atomic_attack_guid\":\"93662494-5ed7-4454-a04c-8c8372808ac2\",\"atomic_attack_name\":\"Get-DomainUser with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Forest Discovery with GetForestDomain\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml\"},{\"rule_name\":\"Get DomainUser with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domainuser_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1087.002\",\"test_number\":14,\"atomic_attack_guid\":\"00c652e2-0750-4ca6-82ff-0204684a6fe4\",\"atomic_attack_name\":\"Enumerate Root Domain linked policies Discovery\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Root Domain linked policies Discovery\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_root_domain_linked_policies_discovery.yml\"}]},{\"tech_id\":\"T1087.002\",\"test_number\":15,\"atomic_attack_guid\":\"ce483c35-c74b-45a7-a670-631d1e69db3d\",\"atomic_attack_name\":\"WinPwn - generaldomaininfo\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":16,\"atomic_attack_guid\":\"f450461c-18d1-4452-9f0d-2c42c3f08624\",\"atomic_attack_name\":\"Kerbrute - userenum\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":17,\"atomic_attack_guid\":\"b8a563d4-a836-4993-a74e-0a19b8481bfe\",\"atomic_attack_name\":\"Wevtutil - Discover NTLM Users Remote\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":21,\"atomic_attack_guid\":\"abf00f6c-9983-4d9a-afbc-6b1c6c6448e1\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with adfind all properties\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1087.002\",\"test_number\":22,\"atomic_attack_guid\":\"51a98f96-0269-4e09-a10f-e307779a8b05\",\"atomic_attack_name\":\"Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":1,\"atomic_attack_guid\":\"5598f7cb-cf43-455e-883a-f6008c5d46af\",\"atomic_attack_name\":\"Admin Account Manipulate\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"},{\"rule_name\":\"Powershell LocalAccount Manipulation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":2,\"atomic_attack_guid\":\"a55a22e9-a3d3-42ce-bd48-2653adb8f7a9\",\"atomic_attack_name\":\"Domain Account and Group Manipulate\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":9,\"atomic_attack_guid\":\"d5b886d9-d1c7-4b6e-a7b0-460041bf2823\",\"atomic_attack_name\":\"Password Change on Directory Service Restore Mode (DSRM) Account\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":10,\"atomic_attack_guid\":\"fc5f9414-bd67-4f5f-a08e-e5381e29cbd1\",\"atomic_attack_name\":\"Domain Password Policy Check: Short Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":11,\"atomic_attack_guid\":\"68190529-069b-4ffc-a942-919704158065\",\"atomic_attack_name\":\"Domain Password Policy Check: No Number in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":12,\"atomic_attack_guid\":\"7d984ef2-2db2-4cec-b090-e637e1698f61\",\"atomic_attack_name\":\"Domain Password Policy Check: No Special Character in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":13,\"atomic_attack_guid\":\"b299c120-44a7-4d68-b8e2-8ba5a28511ec\",\"atomic_attack_name\":\"Domain Password Policy Check: No Uppercase Character in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":14,\"atomic_attack_guid\":\"945da11e-977e-4dab-85d2-f394d03c5887\",\"atomic_attack_name\":\"Domain Password Policy Check: No Lowercase Character in Password\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":15,\"atomic_attack_guid\":\"784d1349-5a26-4d20-af5e-d6af53bae460\",\"atomic_attack_name\":\"Domain Password Policy Check: Only Two Character Classes\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1098\",\"test_number\":16,\"atomic_attack_guid\":\"81959d03-c51f-49a1-bb24-23f1ec885578\",\"atomic_attack_name\":\"Domain Password Policy Check: Common Password Use\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":8,\"atomic_attack_guid\":\"ffd492e3-0455-4518-9fb1-46527c9f241b\",\"atomic_attack_name\":\"certutil download (verifyctl)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"},{\"rule_name\":\"Suspicious Download Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml\"},{\"rule_name\":\"Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":18,\"atomic_attack_guid\":\"2b080b99-0deb-4d51-af0f-833d37c4ca6a\",\"atomic_attack_name\":\"Curl Download File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":19,\"atomic_attack_guid\":\"635c9a38-6cbf-47dc-8615-3810bc1167cf\",\"atomic_attack_name\":\"Curl Upload File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":20,\"atomic_attack_guid\":\"d239772b-88e2-4a2e-8473-897503401bcc\",\"atomic_attack_name\":\"Download a file with Microsoft Connection Manager Auto-Download\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":21,\"atomic_attack_guid\":\"70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf\",\"atomic_attack_name\":\"MAZE Propagation Script\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":32,\"atomic_attack_guid\":\"6934c16e-0b3a-4e7f-ab8c-c414acd32181\",\"atomic_attack_name\":\"File Download with Sqlcmd.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":33,\"atomic_attack_guid\":\"c82b1e60-c549-406f-9b00-0a8ae31c9cfe\",\"atomic_attack_name\":\"Remote File Copy using PSCP\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":34,\"atomic_attack_guid\":\"2a4b0d29-e5dd-4b66-b729-07423ba1cd9d\",\"atomic_attack_name\":\"Windows push file using scp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":35,\"atomic_attack_guid\":\"401667dc-05a6-4da0-a2a7-acfe4819559c\",\"atomic_attack_name\":\"Windows pull file using scp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":36,\"atomic_attack_guid\":\"205e676e-0401-4bae-83a5-94b8c5daeb22\",\"atomic_attack_name\":\"Windows push file using sftp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":37,\"atomic_attack_guid\":\"3d25f1f2-55cb-4a41-a523-d17ad4cfba19\",\"atomic_attack_name\":\"Windows pull file using sftp.exe\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1105\",\"test_number\":38,\"atomic_attack_guid\":\"3dd6a6cf-9c78-462c-bd75-e9b54fc8925b\",\"atomic_attack_name\":\"Download a file with OneDrive Standalone Updater\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Stage Data\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml\"},{\"rule_name\":\"Remote File Copy\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1110.001\",\"test_number\":2,\"atomic_attack_guid\":\"c2969434-672b-4ec8-8df0-bbb91f40e250\",\"atomic_attack_name\":\"Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Connection to Remote Account\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":45,\"atomic_attack_guid\":\"fe7974e5-5813-477b-a7bd-311d4f535e83\",\"atomic_attack_name\":\"Enabling Restricted Admin Mode via Command_Prompt\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"RestrictedAdminMode Registry Value Tampering\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml\"},{\"rule_name\":\"RestrictedAdminMode Registry Value Tampering - ProcCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":67,\"atomic_attack_guid\":\"eb0ba433-63e5-4a8c-a9f0-27c4192e1336\",\"atomic_attack_name\":\"Enable Proxy Settings\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modification of IE Registry Settings\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":68,\"atomic_attack_guid\":\"d88a3d3b-d016-4939-a745-03638aafd21b\",\"atomic_attack_name\":\"Set-Up Proxy Server\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modification of IE Registry Settings\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1112\",\"test_number\":86,\"atomic_attack_guid\":\"c691cee2-8d17-4395-b22f-00644c7f1c2d\",\"atomic_attack_name\":\"Modify RDP-Tcp Initial Program Registry Entry\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"RDP Sensitive Settings Changed\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml\"},{\"rule_name\":\"Potential Tampering With RDP Related Registry Keys Via Reg.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1113\",\"test_number\":8,\"atomic_attack_guid\":\"e9313014-985a-48ef-80d9-cde604ffc187\",\"atomic_attack_name\":\"Windows Screen Capture (CopyFromScreen)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Windows Screen Capture with CopyFromScreen\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows Screen Capture Via Powershell\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_screen_capture_via_powershell.yml\"}]},{\"tech_id\":\"T1115\",\"test_number\":2,\"atomic_attack_guid\":\"d6dc21af-bec9-4152-be86-326b6babd416\",\"atomic_attack_name\":\"Execute Commands from Clipboard using PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get Clipboard\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml\"},{\"rule_name\":\"PowerShell Get-Clipboard Cmdlet Via CLI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml\"},{\"rule_name\":\"Data Copied To Clipboard Via Clip.EXE\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Windows ClipBoard Data via Get-ClipBoard\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml\"}]},{\"tech_id\":\"T1115\",\"test_number\":4,\"atomic_attack_guid\":\"9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52\",\"atomic_attack_name\":\"Collect Clipboard Data via VBA\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell Get Clipboard\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"test_number\":2,\"atomic_attack_guid\":\"634bd9b9-dc83-4229-b19f-7f83ba9ad313\",\"atomic_attack_name\":\"Automated Collection PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Automated Collection Command PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1119\",\"test_number\":3,\"atomic_attack_guid\":\"c3f6d794-50dd-482f-b640-0384fbb7db26\",\"atomic_attack_name\":\"Recon information for export with PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Recon Information for Export with PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1120\",\"test_number\":1,\"atomic_attack_guid\":\"2cb4dbf2-2dca-4597-8678-4d39d207a3a5\",\"atomic_attack_name\":\"Win32_PnPEntity Hardware Inventory\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Suspicious Win32_PnPEntity\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1123\",\"test_number\":2,\"atomic_attack_guid\":\"7a21cce2-6ada-4f7c-afd9-e1e9c481e44a\",\"atomic_attack_name\":\"Registry artefact when application use microphone\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Camera and Microphone Access\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1125\",\"test_number\":1,\"atomic_attack_guid\":\"6581e4a7-42e3-43c5-a0d2-5a0d62f9702a\",\"atomic_attack_name\":\"Registry artefact when application use webcam\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Suspicious Camera and Microphone Access\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1134.004\",\"test_number\":1,\"atomic_attack_guid\":\"069258f4-2162-46e9-9a25-c9c6c56150d2\",\"atomic_attack_name\":\"Parent PID Spoofing using PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - PPID Spoofing SelectMyParent Tool Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1135\",\"test_number\":7,\"atomic_attack_guid\":\"b1636f0a-ba82-435c-b699-0d78794d8bfd\",\"atomic_attack_name\":\"Share Discovery with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1136.001\",\"test_number\":5,\"atomic_attack_guid\":\"bc8be0ac-475c-4fbf-9b1d-9fffd77afbde\",\"atomic_attack_name\":\"Create a new user in PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Cisco Local Accounts\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml\"},{\"rule_name\":\"PowerShell Create Local User\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1136.002\",\"test_number\":3,\"atomic_attack_guid\":\"5a3497a4-1568-4663-b12a-d4a5ed70c7d7\",\"atomic_attack_name\":\"Create a new Domain Account using PowerShell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Manipulation of User Computer or Group Security Principals Across AD\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1137.006\",\"test_number\":1,\"atomic_attack_guid\":\"441b1a0f-a771-428a-8af0-e99e4698cda3\",\"atomic_attack_name\":\"Code Executed Via Excel Add-in File (XLL)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Code Executed Via Office Add-in XLL File\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1197\",\"test_number\":3,\"atomic_attack_guid\":\"62a06ec5-5754-47d2-bcfc-123d8314c6ae\",\"atomic_attack_name\":\"Persist, Download, & Execute\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Monitoring For Persistence Via BITS\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml\"},{\"rule_name\":\"File Download Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml\"},{\"rule_name\":\"File With Suspicious Extension Downloaded Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml\"},{\"rule_name\":\"Suspicious Download From File-Sharing Website Via Bitsadmin\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml\"},{\"rule_name\":\"File Download Via Bitsadmin To A Suspicious Target Folder\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1201\",\"test_number\":9,\"atomic_attack_guid\":\"3177f4da-3d4b-4592-8bdc-aa23d0b2e843\",\"atomic_attack_name\":\"Get-DomainPolicy with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[],\"splunk_rules\":[{\"rule_name\":\"Get DomainPolicy with Powershell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1217\",\"test_number\":5,\"atomic_attack_guid\":\"faab755e-4299-48ec-8202-fc7885eb6545\",\"atomic_attack_name\":\"List Google Chrome / Opera Bookmarks on Windows with powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Automated Collection Bookmarks Using Get-ChildItem PowerShell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"test_number\":4,\"atomic_attack_guid\":\"db020456-125b-4c8b-a4a7-487df8afb5a2\",\"atomic_attack_name\":\"ProtocolHandler.exe Downloaded a Suspicious File\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"test_number\":13,\"atomic_attack_guid\":\"b1eeb683-90bb-4365-bbc2-2689015782fe\",\"atomic_attack_name\":\"LOLBAS CustomShellHost to Spawn Process\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218\",\"test_number\":15,\"atomic_attack_guid\":\"e5eedaed-ad42-4c1e-8783-19529738a349\",\"atomic_attack_name\":\"LOLBAS Msedge to Spawn Process\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Wuauclt Network Connection\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":5,\"atomic_attack_guid\":\"882082f0-27c6-4eec-a43c-9aa80bccdb30\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with embedded JScript\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":6,\"atomic_attack_guid\":\"cf470d9a-58e7-43e5-b0d2-805dffc05576\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":7,\"atomic_attack_guid\":\"32eb3861-30da-4993-897a-42737152f5f8\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.007\",\"test_number\":8,\"atomic_attack_guid\":\"55080eb0-49ae-4f55-a440-4167b7974f79\",\"atomic_attack_name\":\"WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"PowerShell WMI Win32_Product Install MSI\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.009\",\"test_number\":1,\"atomic_attack_guid\":\"71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112\",\"atomic_attack_name\":\"Regasm Uninstall Method Call Test\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.009\",\"test_number\":2,\"atomic_attack_guid\":\"fd3c1c6a-02d2-4b72-82d9-71c527abb126\",\"atomic_attack_name\":\"Regsvcs Uninstall Method Call Test\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1218.010\",\"test_number\":3,\"atomic_attack_guid\":\"08ffca73-9a3d-471a-aeb0-68b4aa3ab37b\",\"atomic_attack_name\":\"Regsvr32 local DLL execution\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Regsvr32 Execution From Highly Suspicious Location\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"test_number\":1,\"atomic_attack_guid\":\"4700a710-c821-4e17-a3ec-9e4c81d6845f\",\"atomic_attack_name\":\"Windows - Discover domain trusts with dsquery\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"test_number\":3,\"atomic_attack_guid\":\"c58fbc62-8a62-489e-8f2d-3565d7d96f30\",\"atomic_attack_name\":\"Powershell enumerate domains and forests\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1482\",\"test_number\":6,\"atomic_attack_guid\":\"f974894c-5991-4b19-aaf5-7cc2fe298c5d\",\"atomic_attack_name\":\"Get-DomainTrust with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Get-DomainTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domaintrust_with_powershell_script_block.yml\"},{\"rule_name\":\"Get-ForestTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_foresttrust_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1482\",\"test_number\":7,\"atomic_attack_guid\":\"58ed10e8-0738-4651-8408-3a3e9a526279\",\"atomic_attack_name\":\"Get-ForestTrust with PowerView\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Malicious PowerShell Commandlets - ScriptBlock\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - PoshModule\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml\"},{\"rule_name\":\"HackTool - SharpView Execution\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml\"},{\"rule_name\":\"Malicious PowerShell Commandlets - ProcessCreation\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml\"}],\"splunk_rules\":[{\"rule_name\":\"Get-DomainTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domaintrust_with_powershell_script_block.yml\"},{\"rule_name\":\"Get-ForestTrust with PowerShell Script Block\",\"rule_link\":\"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_foresttrust_with_powershell_script_block.yml\"}]},{\"tech_id\":\"T1484.001\",\"test_number\":1,\"atomic_attack_guid\":\"9ab80952-74ee-43da-a98c-1e740a985f28\",\"atomic_attack_name\":\"LockBit Black - Modify Group policy settings -cmd\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modify Group Policy Settings - ScriptBlockLogging\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml\"},{\"rule_name\":\"Modify Group Policy Settings\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1484.001\",\"test_number\":2,\"atomic_attack_guid\":\"b51eae65-5441-4789-b8e8-64783c26c1d1\",\"atomic_attack_name\":\"LockBit Black - Modify Group policy settings -Powershell\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Modify Group Policy Settings - ScriptBlockLogging\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1490\",\"test_number\":13,\"atomic_attack_guid\":\"42111a6f-7e7f-482c-9b1b-3cfd090b999c\",\"atomic_attack_name\":\"Windows - Delete Volume Shadow Copies via Diskshadow\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Shadow Copies Deletion Using Operating Systems Utilities\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1491.001\",\"test_number\":1,\"atomic_attack_guid\":\"30558d53-9d76-41c4-9267-a7bd5184bed3\",\"atomic_attack_name\":\"Replace Desktop Wallpaper\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Replace Desktop Wallpaper by Powershell\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml\"}],\"splunk_rules\":[]},{\"tech_id\":\"T1497.001\",\"test_number\":3,\"atomic_attack_guid\":\"502a7dc4-9d6f-4d28-abf2-f0e84692562d\",\"atomic_attack_name\":\"Detect Virtualization Environment (Windows)\",\"platform\":\"windows\",\"sigma_rules\":[{\"rule_name\":\"Powershell Detect Virtualization Environment\",\"rule_link\":\"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml\"}],\"splunk_rules\":[]}]" }, { "path": "dist/index.html", "content": "\n\n \n \n ARM - AttackRuleMap\n \n \n \n \n \n \n \n\n \n \n \n \n\n \n \n \n \n \n \n \n \n \n \n \n
\n
\n \n
\n

AttackRuleMap

\n

\n Mapping of open-source detection rules and atomic tests.\n

\n
\n
\n \n
\n \n \n \n
\n \n \n \n \n \n \n
\n
\n \n
\n Last Updated Date: —\n
\n
\n
\n
\n \n \n \n \n \n \n \n \n \n \n \n
Tech ID\n \"\"\n Atomic Attack Name\n Platform\n \n Sigma Rules\n \n \n Splunk Rules\n
\n\n
\n \n \n \n
\n
\n\n \n \n \n \n \n \n \n \n\n \n \n" }, { "path": "dist/metadata.json", "content": "{\n \"last_updated\": \"2026-02-12 12:30:12\"\n}" }, { "path": "dist/mitre_layer_combined.json", "content": "{\n \"name\": \"ARM - Sigma + Splunk Detection Coverage\",\n \"versions\": {\n \"attack\": \"18\",\n \"navigator\": \"5.3.0\",\n \"layer\": \"4.5\"\n },\n \"domain\": \"enterprise-attack\",\n \"description\": \"Sigma OR Splunk coverage\",\n \"filters\": {\n \"platforms\": [\n \"Windows\"\n ]\n },\n \"sorting\": 3,\n \"layout\": {\n \"layout\": \"side\",\n \"aggregateFunction\": \"average\",\n \"showID\": false,\n \"showName\": true,\n \"showAggregateScores\": false,\n \"countUnscored\": false\n },\n \"hideDisabled\": false,\n \"techniques\": [\n {\n \"techniqueID\": \"T1001.002\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003\",\n \"score\": 57,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 4 | Coverage: %57\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 14 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.002\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 6 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 9 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.008\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1007\",\n \"score\": 40,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 2 | Coverage: %40\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1012\",\n \"score\": 17,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 1 | Coverage: %17\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1014\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016\",\n \"score\": 89,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 8 | Coverage: %89\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1018\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 20 | Detected: 20 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1020\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.006\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1025\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027\",\n \"score\": 55,\n \"color\": \"\",\n \"comment\": \"Tests: 11 | Detected: 6 | Coverage: %55\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.013\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1030\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1033\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 7 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 8 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.005\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1039\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1040\",\n \"score\": 86,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 12 | Coverage: %86\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1041\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1046\",\n \"score\": 56,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 5 | Coverage: %56\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1047\",\n \"score\": 90,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 9 | Coverage: %90\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048.003\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1049\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1053.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1053.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 12 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055\",\n \"score\": 23,\n \"color\": \"\",\n \"comment\": \"Tests: 13 | Detected: 3 | Coverage: %23\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1057\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 22 | Detected: 22 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.003\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 4 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.005\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1069.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 5 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1069.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 14 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.001\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 7 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.005\",\n \"score\": 80,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 4 | Coverage: %80\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.006\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071.004\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1072\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1074.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1078.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1078.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1082\",\n \"score\": 61,\n \"color\": \"\",\n \"comment\": \"Tests: 28 | Detected: 17 | Coverage: %61\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1083\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 6 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1087.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1087.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 22 | Detected: 22 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1090.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1090.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1091\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1095\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1098\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 10 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1105\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 29 | Detected: 29 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1106\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.001\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 3 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1112\",\n \"score\": 30,\n \"color\": \"\",\n \"comment\": \"Tests: 90 | Detected: 27 | Coverage: %30\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1113\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1114.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1115\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1119\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1120\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1123\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1124\",\n \"score\": 40,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 2 | Coverage: %40\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1125\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1127\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1127.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1129\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1132.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1133\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.002\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.004\",\n \"score\": 40,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 2 | Coverage: %40\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1135\",\n \"score\": 44,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 4 | Coverage: %44\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1136.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1136.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.006\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1140\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1176\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1187\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1195\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1197\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1201\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 5 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1202\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1204.002\",\n \"score\": 23,\n \"color\": \"\",\n \"comment\": \"Tests: 13 | Detected: 3 | Coverage: %23\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1204.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1207\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1216\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1216.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1217\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 4 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 16 | Detected: 16 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.005\",\n \"score\": 30,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 3 | Coverage: %30\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 11 | Detected: 11 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.008\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.009\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.010\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 5 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.011\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 16 | Detected: 16 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1219\",\n \"score\": 13,\n \"color\": \"\",\n \"comment\": \"Tests: 15 | Detected: 2 | Coverage: %13\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1220\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1221\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1222\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1222.001\",\n \"score\": 83,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 5 | Coverage: %83\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1482\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 8 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1484.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1485\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1486\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1489\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1490\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 9 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1491.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1496\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1497.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1518\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1518.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1529\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 3 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1531\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1539\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1542.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1543.003\",\n \"score\": 83,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 5 | Coverage: %83\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546\",\n \"score\": 11,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 1 | Coverage: %11\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.003\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.008\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 2 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.011\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.013\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.018\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.001\",\n \"score\": 15,\n \"color\": \"\",\n \"comment\": \"Tests: 20 | Detected: 3 | Coverage: %15\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.009\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.014\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1548.002\",\n \"score\": 11,\n \"color\": \"\",\n \"comment\": \"Tests: 27 | Detected: 3 | Coverage: %11\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1550.002\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1550.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.001\",\n \"score\": 10,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 1 | Coverage: %10\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.004\",\n \"score\": 43,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 3 | Coverage: %43\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.004\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555.003\",\n \"score\": 57,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 8 | Coverage: %57\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1556.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1557.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.003\",\n \"score\": 43,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 3 | Coverage: %43\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.004\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1559\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1559.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1560\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1560.001\",\n \"score\": 43,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 3 | Coverage: %43\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.001\",\n \"score\": 21,\n \"color\": \"\",\n \"comment\": \"Tests: 39 | Detected: 8 | Coverage: %21\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1563.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1566.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1566.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1567.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1567.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1569.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1570\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1571\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1572\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1573\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1592.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1595.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1614\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1614.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1615\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1620\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1622\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1649\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1652\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1654\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n }\n ],\n \"gradient\": {\n \"colors\": [\n \"#ff6666\",\n \"#ffe766\",\n \"#8ec843\"\n ],\n \"minValue\": 0,\n \"maxValue\": 100\n }\n}" }, { "path": "dist/mitre_layer_sigma.json", "content": "{\n \"name\": \"ARM - Sigma Detection Coverage\",\n \"versions\": {\n \"attack\": \"18\",\n \"navigator\": \"5.3.0\",\n \"layer\": \"4.5\"\n },\n \"domain\": \"enterprise-attack\",\n \"description\": \"Sigma rule coverage\",\n \"filters\": {\n \"platforms\": [\n \"Windows\"\n ]\n },\n \"sorting\": 3,\n \"layout\": {\n \"layout\": \"side\",\n \"aggregateFunction\": \"average\",\n \"showID\": false,\n \"showName\": true,\n \"showAggregateScores\": false,\n \"countUnscored\": false\n },\n \"hideDisabled\": false,\n \"techniques\": [\n {\n \"techniqueID\": \"T1001.002\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003\",\n \"score\": 57,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 4 | Coverage: %57\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 14 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.002\",\n \"score\": 62,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 5 | Coverage: %62\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 9 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.008\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1005\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1007\",\n \"score\": 40,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 2 | Coverage: %40\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1012\",\n \"score\": 17,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 1 | Coverage: %17\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1014\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016\",\n \"score\": 89,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 8 | Coverage: %89\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1018\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 20 | Detected: 20 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1020\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.006\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1025\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027\",\n \"score\": 55,\n \"color\": \"\",\n \"comment\": \"Tests: 11 | Detected: 6 | Coverage: %55\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.013\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1030\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1033\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 7 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 8 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.005\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1039\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1040\",\n \"score\": 86,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 12 | Coverage: %86\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1041\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1046\",\n \"score\": 56,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 5 | Coverage: %56\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1047\",\n \"score\": 80,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 8 | Coverage: %80\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048.003\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1049\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1053.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1053.005\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 9 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055\",\n \"score\": 23,\n \"color\": \"\",\n \"comment\": \"Tests: 13 | Detected: 3 | Coverage: %23\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1057\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 22 | Detected: 22 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.003\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 4 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.005\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1069.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 5 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1069.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 14 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.001\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 7 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.005\",\n \"score\": 80,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 4 | Coverage: %80\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.006\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071.004\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1072\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1074.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1078.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1078.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1082\",\n \"score\": 61,\n \"color\": \"\",\n \"comment\": \"Tests: 28 | Detected: 17 | Coverage: %61\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1083\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 6 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1087.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1087.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 22 | Detected: 22 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1090.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1090.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1091\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1095\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1098\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 10 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1105\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 29 | Detected: 29 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1106\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.001\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 3 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1112\",\n \"score\": 30,\n \"color\": \"\",\n \"comment\": \"Tests: 90 | Detected: 27 | Coverage: %30\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1113\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1114.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1115\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1119\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1120\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1123\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1124\",\n \"score\": 40,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 2 | Coverage: %40\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1125\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1127\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1127.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1129\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1132.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1133\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.002\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.004\",\n \"score\": 40,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 2 | Coverage: %40\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1135\",\n \"score\": 44,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 4 | Coverage: %44\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1136.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1136.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.006\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1140\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1176\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1187\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1195\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1197\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1201\",\n \"score\": 80,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 4 | Coverage: %80\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1202\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1204.002\",\n \"score\": 23,\n \"color\": \"\",\n \"comment\": \"Tests: 13 | Detected: 3 | Coverage: %23\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1204.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1207\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1216\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1216.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1217\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 4 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 16 | Detected: 16 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.001\",\n \"score\": 38,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 3 | Coverage: %38\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.005\",\n \"score\": 30,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 3 | Coverage: %30\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 11 | Detected: 11 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.008\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.009\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.010\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 5 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.011\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 16 | Detected: 16 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1219\",\n \"score\": 13,\n \"color\": \"\",\n \"comment\": \"Tests: 15 | Detected: 2 | Coverage: %13\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1220\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1221\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1222\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1222.001\",\n \"score\": 83,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 5 | Coverage: %83\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1482\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 8 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1484.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1485\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1486\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1489\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 3 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1490\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 9 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1491.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 2 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1496\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1497.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1518\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1518.001\",\n \"score\": 38,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 3 | Coverage: %38\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1529\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 3 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1531\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1539\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1542.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1543.003\",\n \"score\": 83,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 5 | Coverage: %83\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546\",\n \"score\": 11,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 1 | Coverage: %11\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.003\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.007\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.008\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 2 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.011\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.013\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.018\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.001\",\n \"score\": 15,\n \"color\": \"\",\n \"comment\": \"Tests: 20 | Detected: 3 | Coverage: %15\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.009\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.014\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1548.002\",\n \"score\": 11,\n \"color\": \"\",\n \"comment\": \"Tests: 27 | Detected: 3 | Coverage: %11\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1550.002\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1550.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.004\",\n \"score\": 43,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 3 | Coverage: %43\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.003\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.004\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555.003\",\n \"score\": 57,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 8 | Coverage: %57\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1556.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1557.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.003\",\n \"score\": 14,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 1 | Coverage: %14\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.004\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1559\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1559.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1560\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1560.001\",\n \"score\": 29,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 2 | Coverage: %29\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.001\",\n \"score\": 21,\n \"color\": \"\",\n \"comment\": \"Tests: 39 | Detected: 8 | Coverage: %21\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1563.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1566.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1566.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1567.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1567.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1569.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1570\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1571\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1572\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1573\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1592.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1595.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1614\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1614.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1615\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1620\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1622\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1649\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1652\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1654\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n }\n ],\n \"gradient\": {\n \"colors\": [\n \"#ff6666\",\n \"#ffe766\",\n \"#8ec843\"\n ],\n \"minValue\": 0,\n \"maxValue\": 100\n }\n}" }, { "path": "dist/mitre_layer_splunk.json", "content": "{\n \"name\": \"ARM - Splunk Detection Coverage\",\n \"versions\": {\n \"attack\": \"18\",\n \"navigator\": \"5.3.0\",\n \"layer\": \"4.5\"\n },\n \"domain\": \"enterprise-attack\",\n \"description\": \"Splunk/ESCU rule coverage\",\n \"filters\": {\n \"platforms\": [\n \"Windows\"\n ]\n },\n \"sorting\": 3,\n \"layout\": {\n \"layout\": \"side\",\n \"aggregateFunction\": \"average\",\n \"showID\": false,\n \"showName\": true,\n \"showAggregateScores\": false,\n \"countUnscored\": false\n },\n \"hideDisabled\": false,\n \"techniques\": [\n {\n \"techniqueID\": \"T1001.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.001\",\n \"score\": 14,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 2 | Coverage: %14\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.002\",\n \"score\": 62,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 5 | Coverage: %62\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.003\",\n \"score\": 78,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 7 | Coverage: %78\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.006\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.007\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1003.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1005\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1014\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016\",\n \"score\": 22,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 2 | Coverage: %22\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1016.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1018\",\n \"score\": 45,\n \"color\": \"\",\n \"comment\": \"Tests: 20 | Detected: 9 | Coverage: %45\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1020\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.001\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.002\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 3 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1021.006\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1025\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027\",\n \"score\": 18,\n \"color\": \"\",\n \"comment\": \"Tests: 11 | Detected: 2 | Coverage: %18\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1027.013\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1030\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1033\",\n \"score\": 86,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 6 | Coverage: %86\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.003\",\n \"score\": 12,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 1 | Coverage: %12\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.004\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.005\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.006\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1036.007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.004\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1037.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1039\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1040\",\n \"score\": 43,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 6 | Coverage: %43\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1041\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1046\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1047\",\n \"score\": 70,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 7 | Coverage: %70\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1048.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1049\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 4 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1053.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1053.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 12 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 13 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1055.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1056.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1057\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.001\",\n \"score\": 95,\n \"color\": \"\",\n \"comment\": \"Tests: 22 | Detected: 21 | Coverage: %95\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1059.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1069.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 5 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1069.002\",\n \"score\": 64,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 9 | Coverage: %64\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.004\",\n \"score\": 29,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 2 | Coverage: %29\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1070.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1071.004\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1072\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1074.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1078.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1078.003\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1082\",\n \"score\": 18,\n \"color\": \"\",\n \"comment\": \"Tests: 28 | Detected: 5 | Coverage: %18\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1083\",\n \"score\": 17,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 1 | Coverage: %17\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1087.001\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 3 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1087.002\",\n \"score\": 41,\n \"color\": \"\",\n \"comment\": \"Tests: 22 | Detected: 9 | Coverage: %41\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1090.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1090.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1091\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1095\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1098\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1105\",\n \"score\": 21,\n \"color\": \"\",\n \"comment\": \"Tests: 29 | Detected: 6 | Coverage: %21\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1106\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.001\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.002\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1110.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1112\",\n \"score\": 2,\n \"color\": \"\",\n \"comment\": \"Tests: 90 | Detected: 2 | Coverage: %2\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1113\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1114.001\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1115\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1119\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1120\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1123\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1124\",\n \"score\": 20,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 1 | Coverage: %20\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1125\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1127\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1127.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1129\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1132.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1133\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.002\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1134.005\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1135\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1136.001\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 3 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1136.002\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1137.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1140\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1176\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1187\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1195\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 1 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1197\",\n \"score\": 75,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 3 | Coverage: %75\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1201\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1202\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1204.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 13 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1204.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1207\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1216\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1216.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1217\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218\",\n \"score\": 19,\n \"color\": \"\",\n \"comment\": \"Tests: 16 | Detected: 3 | Coverage: %19\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.001\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.007\",\n \"score\": 27,\n \"color\": \"\",\n \"comment\": \"Tests: 11 | Detected: 3 | Coverage: %27\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.008\",\n \"score\": 100,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 2 | Coverage: %100\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.010\",\n \"score\": 60,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 3 | Coverage: %60\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1218.011\",\n \"score\": 56,\n \"color\": \"\",\n \"comment\": \"Tests: 16 | Detected: 9 | Coverage: %56\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1219\",\n \"score\": 13,\n \"color\": \"\",\n \"comment\": \"Tests: 15 | Detected: 2 | Coverage: %13\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1220\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1221\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1222\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1222.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1482\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 4 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1484.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1485\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1486\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1489\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1490\",\n \"score\": 8,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 1 | Coverage: %8\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1491.001\",\n \"score\": 25,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 1 | Coverage: %25\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1496\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1497.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1505.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1518\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1518.001\",\n \"score\": 12,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 1 | Coverage: %12\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1529\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 3 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1531\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1539\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1542.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1543.003\",\n \"score\": 17,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 1 | Coverage: %17\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 9 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.003\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.007\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.013\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1546.018\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 20 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.014\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1547.015\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1548.002\",\n \"score\": 7,\n \"color\": \"\",\n \"comment\": \"Tests: 27 | Detected: 2 | Coverage: %7\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1550.002\",\n \"score\": 33,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 1 | Coverage: %33\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1550.003\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.001\",\n \"score\": 10,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 1 | Coverage: %10\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.004\",\n \"score\": 14,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 1 | Coverage: %14\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1552.006\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.005\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1553.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 8 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555.003\",\n \"score\": 7,\n \"color\": \"\",\n \"comment\": \"Tests: 14 | Detected: 1 | Coverage: %7\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1555.004\",\n \"score\": 50,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 1 | Coverage: %50\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1556.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1557.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.003\",\n \"score\": 43,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 3 | Coverage: %43\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1558.004\",\n \"score\": 67,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 2 | Coverage: %67\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1559\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1559.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1560\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1560.001\",\n \"score\": 14,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 1 | Coverage: %14\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.001\",\n \"score\": 3,\n \"color\": \"\",\n \"comment\": \"Tests: 39 | Detected: 1 | Coverage: %3\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 12 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 10 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1562.010\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1563.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.004\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1564.006\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1566.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1566.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1567.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1567.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1569.002\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 7 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1570\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1571\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1572\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 4 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1573\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.008\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.009\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.011\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1574.012\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 3 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1592.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1595.003\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1614\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1614.001\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 6 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1615\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 5 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1620\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1622\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1649\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1652\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 1 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n },\n {\n \"techniqueID\": \"T1654\",\n \"score\": 0,\n \"color\": \"\",\n \"comment\": \"Tests: 2 | Detected: 0 | Coverage: %0\",\n \"enabled\": true,\n \"metadata\": []\n }\n ],\n \"gradient\": {\n \"colors\": [\n \"#ff6666\",\n \"#ffe766\",\n \"#8ec843\"\n ],\n \"minValue\": 0,\n \"maxValue\": 100\n }\n}" }, { "path": "requirements.txt", "content": "# AttackRuleMap - Direct dependencies for automation/\n# Install: pip install -r requirements.txt\n\nparamiko>=4.0.0\nPyYAML>=6.0\npython-dotenv>=1.0.0\npySigma>=0.11.0\npySigma-backend-splunk>=1.1.0\nsplunk-sdk>=2.0.0\n" } ]