-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmissing_tests.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 2 columns, instead of 1 in line 1.
144 lines (144 loc) · 40.9 KB
/
missing_tests.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
defense-evasion;T1027.009;posh_ps_token_obfuscation.yml,proc_creation_win_powershell_token_obfuscation.yml
defense-evasion;T1574.007;proc_creation_win_secedit_execution.yml
defense-evasion;T1036.007;file_event_win_susp_double_extension.yml,file_event_win_susp_lnk_double_extension.yml,proc_creation_win_susp_double_extension_parent.yml
defense-evasion;T1578;azure_aadhybridhealth_adfs_new_server.yml
defense-evasion;T1542.003;proc_creation_win_bcdedit_susp_execution.yml
defense-evasion;T1218.013;proc_creation_win_lolbin_mavinject_process_injection.yml,proc_creation_win_renamed_mavinject.yml
defense-evasion;T1036.008;file_rename_win_non_dll_to_dll_ext.yml
defense-evasion;T1553.002;win_security_susp_sdelete.yml
defense-evasion;T1599.001;driver_load_win_windivert.yml
defense-evasion;T1550;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,win_security_susp_logon_newcredentials.yml
defense-evasion;T1222;posh_ps_set_acl.yml,posh_ps_set_acl_susp_location.yml
defense-evasion;T1548;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_aad_secops_new_ca_policy_addedby_bad_actor.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,gcp_breakglass_container_workload_deployed.yml,lnx_auditd_capabilities_discovery.yml,file_event_lnx_doas_conf_creation.yml,proc_creation_lnx_doas_execution.yml,win_security_scm_database_privileged_operation.yml,win_system_vul_cve_2020_1472.yml,proc_access_win_svchost_credential_dumping.yml,proc_creation_win_regedit_trustedinstaller.yml,proc_creation_win_susp_abusing_debug_privilege.yml,proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml,registry_set_comhijack_sdclt.yml
defense-evasion;T1578.003;azure_aadhybridhealth_adfs_service_delete.yml
defense-evasion;T1574.005;proc_creation_win_hktl_sharpup.yml
defense-evasion;T1562.007;azure_network_firewall_policy_modified_or_deleted.yml
defense-evasion;T1036.002;proc_creation_win_susp_right_to_left_override.yml
defense-evasion;T1134.003;proc_creation_win_hktl_impersonate.yml,proc_creation_win_hktl_sharp_impersonation.yml
defense-evasion;T1574;file_delete_win_cve_2021_1675_print_nightmare.yml,file_event_win_initial_access_dll_search_order_hijacking.yml,image_load_spoolsv_dll_load.yml,proc_creation_win_registry_cimprovider_dll_load.yml,proc_creation_win_regsvr32_uncommon_extension.yml,registry_set_dbgmanageddebugger_persistence.yml,registry_set_susp_printer_driver.yml,proc_creation_win_exploit_cve_2019_1378.yml
defense-evasion;T1027.005;win_security_susp_sdelete.yml,proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml,proc_creation_win_pua_defendercheck.yml,proc_creation_win_pua_rcedit_execution.yml
defense-evasion;T1078;opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connection.yml,opencanary_telnet_login_attempt.yml,aws_susp_saml_activity.yml,azure_ad_user_added_to_admin_role.yml,azure_kubernetes_admission_controller.yml,azure_ad_account_created_deleted.yml,azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml,azure_federation_modified.yml,azure_pim_alerts_disabled.yml,azure_subscription_permissions_elevation_via_auditlogs.yml,azure_identity_protection_anonymous_ip_activity.yml,azure_identity_protection_atypical_travel.yml,azure_identity_protection_impossible_travel.yml,azure_identity_protection_new_coutry_region.yml,azure_identity_protection_suspicious_browser.yml,azure_identity_protection_threat_intel.yml,azure_identity_protection_unfamilar_sign_in.yml,azure_pim_account_stale.yml,azure_pim_invalid_license.yml,azure_pim_role_assigned_outside_of_pim.yml,azure_pim_role_frequent_activation.yml,azure_pim_role_not_used.yml,azure_pim_role_no_mfa_required.yml,azure_pim_too_many_global_admins.yml,azure_ad_auth_failure_increase.yml,azure_ad_auth_sucess_increase.yml,azure_ad_auth_to_important_apps_using_single_factor_auth.yml,azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml,azure_app_device_code_authentication.yml,azure_app_ropc_authentication.yml,azure_unusual_authentication_interruption.yml,gcp_kubernetes_admission_controller.yml,microsoft365_impossible_travel_activity.yml,microsoft365_logon_from_risky_ip_address.yml,proc_creation_macos_dsenableroot_enable_root_account.yml,proc_creation_macos_sysadminctl_enable_guest_account.yml,cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,win_security_susp_computer_name.yml,win_security_susp_failed_logon_reasons.yml,win_security_susp_logon_explicit_credentials.yml,win_security_user_added_to_local_administrators.yml,win_security_successful_external_remote_rdp_login.yml,win_security_successful_external_remote_smb_login.yml,win_security_susp_failed_logon_source.yml,posh_pm_susp_reset_computermachinepassword.yml,proc_creation_win_net_use_password_plaintext.yml
defense-evasion;T1556.006;azure_ad_only_single_factor_auth_required.yml,okta_mfa_reset_or_deactivated.yml
defense-evasion;T1553;proc_creation_macos_susp_execution_macos_script_editor.yml,proc_creation_win_exploit_other_razorinstaller_lpe.yml
defense-evasion;T1027.003;lnx_auditd_hidden_zip_files_steganography.yml,lnx_auditd_steghide_embed_steganography.yml,lnx_auditd_steghide_extract_steganography.yml,lnx_auditd_unzip_hidden_zip_files_steganography.yml,proc_creation_win_findstr_lnk.yml
defense-evasion;T1078.002;win_security_admin_rdp_login.yml
defense-evasion;T1055.009;proc_creation_lnx_dd_process_injection.yml
defense-evasion;T1027.010;proc_creation_win_powershell_crypto_namespace.yml,registry_set_powershell_crypto_namespace.yml
defense-evasion;T1134;win_security_hktl_nofilter.yml,proc_creation_win_susp_system_user_anomaly.yml
defense-evasion;T1484;azure_ad_device_registration_policy_changes.yml
defense-evasion;T1550.001;aws_console_getsignintoken.yml,aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml
defense-evasion;T1556;aws_sso_idp_change.yml,azure_mfa_disabled.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_ad_certificate_based_authencation_enabled.yml,azure_ad_new_root_ca_added.yml,azure_change_to_authentication_method.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,github_disable_high_risk_configuration.yml,microsoft365_disabling_mfa.yml,win_security_susp_possible_shadow_credentials_added.yml
defense-evasion;T1211;win_application_msmpeng_crash_error.yml,win_audit_cve.yml,win_application_msmpeng_crash_wer.yml,proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
privilege-escalation;T1574.007;proc_creation_win_secedit_execution.yml
privilege-escalation;T1543;win_codeintegrity_enforced_policy_block.yml,win_codeintegrity_revoked_driver_blocked.yml,win_security_service_installation_by_unusal_client.yml,win_system_krbrelayup_service_installation.yml,win_system_service_install_sups_unusal_client.yml,driver_load_win_pua_process_hacker.yml,driver_load_win_pua_system_informer.yml,proc_creation_win_pua_process_hacker.yml,proc_creation_win_pua_system_informer.yml
privilege-escalation;T1053;rpc_firewall_atsvc_lateral_movement.yml,rpc_firewall_itaskschedulerservice_lateral_movement.yml,rpc_firewall_sasec_lateral_movement.yml,cisco_cli_modify_config.yml,file_event_win_susp_task_write.yml,proc_creation_win_hktl_crackmapexec_execution.yml,proc_creation_win_hktl_crackmapexec_execution_patterns.yml,proc_creation_win_hktl_sharpersist.yml,registry_set_taskcache_entry.yml,win_security_apt_slingshot.yml,proc_creation_win_apt_hafnium.yml,proc_creation_win_apt_actinium_persistence.yml
privilege-escalation;T1548;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_aad_secops_new_ca_policy_addedby_bad_actor.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,gcp_breakglass_container_workload_deployed.yml,lnx_auditd_capabilities_discovery.yml,file_event_lnx_doas_conf_creation.yml,proc_creation_lnx_doas_execution.yml,win_security_scm_database_privileged_operation.yml,win_system_vul_cve_2020_1472.yml,proc_access_win_svchost_credential_dumping.yml,proc_creation_win_regedit_trustedinstaller.yml,proc_creation_win_susp_abusing_debug_privilege.yml,proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml,registry_set_comhijack_sdclt.yml
privilege-escalation;T1574.005;proc_creation_win_hktl_sharpup.yml
privilege-escalation;T1134.003;proc_creation_win_hktl_impersonate.yml,proc_creation_win_hktl_sharp_impersonation.yml
privilege-escalation;T1574;file_delete_win_cve_2021_1675_print_nightmare.yml,file_event_win_initial_access_dll_search_order_hijacking.yml,image_load_spoolsv_dll_load.yml,proc_creation_win_registry_cimprovider_dll_load.yml,proc_creation_win_regsvr32_uncommon_extension.yml,registry_set_dbgmanageddebugger_persistence.yml,registry_set_susp_printer_driver.yml,proc_creation_win_exploit_cve_2019_1378.yml
privilege-escalation;T1078;opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connection.yml,opencanary_telnet_login_attempt.yml,aws_susp_saml_activity.yml,azure_ad_user_added_to_admin_role.yml,azure_kubernetes_admission_controller.yml,azure_ad_account_created_deleted.yml,azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml,azure_federation_modified.yml,azure_pim_alerts_disabled.yml,azure_subscription_permissions_elevation_via_auditlogs.yml,azure_identity_protection_anonymous_ip_activity.yml,azure_identity_protection_atypical_travel.yml,azure_identity_protection_impossible_travel.yml,azure_identity_protection_new_coutry_region.yml,azure_identity_protection_suspicious_browser.yml,azure_identity_protection_threat_intel.yml,azure_identity_protection_unfamilar_sign_in.yml,azure_pim_account_stale.yml,azure_pim_invalid_license.yml,azure_pim_role_assigned_outside_of_pim.yml,azure_pim_role_frequent_activation.yml,azure_pim_role_not_used.yml,azure_pim_role_no_mfa_required.yml,azure_pim_too_many_global_admins.yml,azure_ad_auth_failure_increase.yml,azure_ad_auth_sucess_increase.yml,azure_ad_auth_to_important_apps_using_single_factor_auth.yml,azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml,azure_app_device_code_authentication.yml,azure_app_ropc_authentication.yml,azure_unusual_authentication_interruption.yml,gcp_kubernetes_admission_controller.yml,microsoft365_impossible_travel_activity.yml,microsoft365_logon_from_risky_ip_address.yml,proc_creation_macos_dsenableroot_enable_root_account.yml,proc_creation_macos_sysadminctl_enable_guest_account.yml,cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,win_security_susp_computer_name.yml,win_security_susp_failed_logon_reasons.yml,win_security_susp_logon_explicit_credentials.yml,win_security_user_added_to_local_administrators.yml,win_security_successful_external_remote_rdp_login.yml,win_security_successful_external_remote_smb_login.yml,win_security_susp_failed_logon_source.yml,posh_pm_susp_reset_computermachinepassword.yml,proc_creation_win_net_use_password_plaintext.yml
privilege-escalation;T1068;lnx_auditd_coinminer.yml,lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml,lnx_buffer_overflows.yml,lnx_nimbuspwn_privilege_escalation_exploit.yml,lnx_sudo_cve_2019_14287_user.yml,proc_creation_lnx_omigod_scx_runasprovider_executescript.yml,proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml,proc_creation_lnx_sudo_cve_2019_14287.yml,zeek_http_omigod_no_auth_rce.yml,win_audit_cve.yml,driver_load_win_mal_drivers.yml,driver_load_win_mal_drivers_names.yml,driver_load_win_vuln_drivers.yml,driver_load_win_vuln_drivers_names.yml,file_event_win_sysinternals_procexp_driver_susp_creation.yml,file_event_win_sysinternals_procmon_driver_susp_creation.yml,proc_creation_win_hktl_sysmoneop.yml,proc_creation_win_spoolsv_susp_child_processes.yml,proc_creation_win_exploit_cve_2019_1378.yml,proc_creation_win_exploit_cve_2019_1388.yml,file_event_win_cve_2021_41379_msi_lpe.yml,proc_creation_win_exploit_cve_2021_41379.yml,proc_creation_win_exploit_other_systemnightmare.yml,proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
privilege-escalation;T1078.002;win_security_admin_rdp_login.yml
privilege-escalation;T1055.009;proc_creation_lnx_dd_process_injection.yml
privilege-escalation;T1134;win_security_hktl_nofilter.yml,proc_creation_win_susp_system_user_anomaly.yml
privilege-escalation;T1484;azure_ad_device_registration_policy_changes.yml
execution;T1559.001;dns_query_win_regsvr32_dns_query.yml,net_connection_win_dllhost_non_local_ip.yml,net_connection_win_regsvr32_network_activity.yml,proc_access_win_cmstp_execution_by_access.yml
execution;T1053;rpc_firewall_atsvc_lateral_movement.yml,rpc_firewall_itaskschedulerservice_lateral_movement.yml,rpc_firewall_sasec_lateral_movement.yml,cisco_cli_modify_config.yml,file_event_win_susp_task_write.yml,proc_creation_win_hktl_crackmapexec_execution.yml,proc_creation_win_hktl_crackmapexec_execution_patterns.yml,proc_creation_win_hktl_sharpersist.yml,registry_set_taskcache_entry.yml,win_security_apt_slingshot.yml,proc_creation_win_apt_hafnium.yml,proc_creation_win_apt_actinium_persistence.yml
execution;T1059.009;aws_iam_s3browser_loginprofile_creation.yml,aws_iam_s3browser_templated_s3_bucket_policy_creation.yml,aws_iam_s3browser_user_or_accesskey_creation.yml
execution;T1204;av_hacktool.yml,proc_creation_macos_payload_decoded_and_decrypted.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml,proc_creation_win_webdav_lnk_execution.yml,registry_event_mimikatz_printernightmare.yml,proc_creation_win_malware_snatch_ransomware.yml,proc_creation_win_malware_darkside_ransomware.yml
execution;T1203;av_exploiting.yml,lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml,proc_creation_lnx_omigod_scx_runasprovider_executescript.yml,proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml,proc_creation_macos_susp_browser_child_process.yml,zeek_http_omigod_no_auth_rce.yml,proxy_download_susp_tlds_blacklist.yml,proxy_download_susp_tlds_whitelist.yml,win_audit_cve.yml,net_connection_win_eqnedt.yml,net_connection_win_office_outbound_non_local_ip.yml,proc_creation_win_hwp_exploits.yml,proc_creation_win_java_remote_debugging.yml,proc_creation_win_keyscrambler_susp_child_process.yml,proc_creation_win_spoolsv_susp_child_processes.yml,proc_creation_win_winrar_susp_child_process.yml,proc_creation_win_exploit_cve_2017_0261.yml,proc_creation_win_exploit_cve_2017_11882.yml,proc_creation_win_exploit_cve_2017_8759.yml,file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml,registry_set_cve_2021_31979_cve_2021_33771_exploits.yml,proc_creation_win_exploit_cve_2021_26857_msexchange.yml,file_event_win_cve_2021_26858_msexchange.yml,proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml,net_connection_win_dfsvc_non_local_ip.yml,net_connection_win_dfsvc_uncommon_ports.yml
execution;T1569;proc_creation_win_sysinternals_psexec_execution.yml,win_exploit_cve_2021_1675_printspooler.yml,win_exploit_cve_2021_1675_printspooler_operational.yml,win_security_exploit_cve_2021_1675_printspooler_security.yml
execution;T1204.001;lnx_symlink_etc_passwd.yml,proc_creation_macos_susp_execution_macos_script_editor.yml
persistence;T1574.007;proc_creation_win_secedit_execution.yml
persistence;T1543;win_codeintegrity_enforced_policy_block.yml,win_codeintegrity_revoked_driver_blocked.yml,win_security_service_installation_by_unusal_client.yml,win_system_krbrelayup_service_installation.yml,win_system_service_install_sups_unusal_client.yml,driver_load_win_pua_process_hacker.yml,driver_load_win_pua_system_informer.yml,proc_creation_win_pua_process_hacker.yml,proc_creation_win_pua_system_informer.yml
persistence;T1542.003;proc_creation_win_bcdedit_susp_execution.yml
persistence;T1053;rpc_firewall_atsvc_lateral_movement.yml,rpc_firewall_itaskschedulerservice_lateral_movement.yml,rpc_firewall_sasec_lateral_movement.yml,cisco_cli_modify_config.yml,file_event_win_susp_task_write.yml,proc_creation_win_hktl_crackmapexec_execution.yml,proc_creation_win_hktl_crackmapexec_execution_patterns.yml,proc_creation_win_hktl_sharpersist.yml,registry_set_taskcache_entry.yml,win_security_apt_slingshot.yml,proc_creation_win_apt_hafnium.yml,proc_creation_win_apt_actinium_persistence.yml
persistence;T1525;aws_ecs_task_definition_cred_endpoint_query.yml
persistence;T1574.005;proc_creation_win_hktl_sharpup.yml
persistence;T1554;win_security_hybridconnectionmgr_svc_installation.yml,win_hybridconnectionmgr_svc_running.yml,dns_query_win_hybridconnectionmgr_servicebus.yml
persistence;T1137.003;file_event_win_office_outlook_newform.yml
persistence;T1574;file_delete_win_cve_2021_1675_print_nightmare.yml,file_event_win_initial_access_dll_search_order_hijacking.yml,image_load_spoolsv_dll_load.yml,proc_creation_win_registry_cimprovider_dll_load.yml,proc_creation_win_regsvr32_uncommon_extension.yml,registry_set_dbgmanageddebugger_persistence.yml,registry_set_susp_printer_driver.yml,proc_creation_win_exploit_cve_2019_1378.yml
persistence;T1078;opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connection.yml,opencanary_telnet_login_attempt.yml,aws_susp_saml_activity.yml,azure_ad_user_added_to_admin_role.yml,azure_kubernetes_admission_controller.yml,azure_ad_account_created_deleted.yml,azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml,azure_federation_modified.yml,azure_pim_alerts_disabled.yml,azure_subscription_permissions_elevation_via_auditlogs.yml,azure_identity_protection_anonymous_ip_activity.yml,azure_identity_protection_atypical_travel.yml,azure_identity_protection_impossible_travel.yml,azure_identity_protection_new_coutry_region.yml,azure_identity_protection_suspicious_browser.yml,azure_identity_protection_threat_intel.yml,azure_identity_protection_unfamilar_sign_in.yml,azure_pim_account_stale.yml,azure_pim_invalid_license.yml,azure_pim_role_assigned_outside_of_pim.yml,azure_pim_role_frequent_activation.yml,azure_pim_role_not_used.yml,azure_pim_role_no_mfa_required.yml,azure_pim_too_many_global_admins.yml,azure_ad_auth_failure_increase.yml,azure_ad_auth_sucess_increase.yml,azure_ad_auth_to_important_apps_using_single_factor_auth.yml,azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml,azure_app_device_code_authentication.yml,azure_app_ropc_authentication.yml,azure_unusual_authentication_interruption.yml,gcp_kubernetes_admission_controller.yml,microsoft365_impossible_travel_activity.yml,microsoft365_logon_from_risky_ip_address.yml,proc_creation_macos_dsenableroot_enable_root_account.yml,proc_creation_macos_sysadminctl_enable_guest_account.yml,cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,win_security_susp_computer_name.yml,win_security_susp_failed_logon_reasons.yml,win_security_susp_logon_explicit_credentials.yml,win_security_user_added_to_local_administrators.yml,win_security_successful_external_remote_rdp_login.yml,win_security_successful_external_remote_smb_login.yml,win_security_susp_failed_logon_source.yml,posh_pm_susp_reset_computermachinepassword.yml,proc_creation_win_net_use_password_plaintext.yml
persistence;T1556.006;azure_ad_only_single_factor_auth_required.yml,okta_mfa_reset_or_deactivated.yml
persistence;T1078.002;win_security_admin_rdp_login.yml
persistence;T1505;cisco_cli_modify_config.yml
persistence;T1136;kubernetes_audit_serviceaccount_creation.yml,aws_elasticache_security_group_created.yml,proc_creation_lnx_esxcli_user_account_creation.yml
persistence;T1556;aws_sso_idp_change.yml,azure_mfa_disabled.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_ad_certificate_based_authencation_enabled.yml,azure_ad_new_root_ca_added.yml,azure_change_to_authentication_method.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,github_disable_high_risk_configuration.yml,microsoft365_disabling_mfa.yml,win_security_susp_possible_shadow_credentials_added.yml
persistence;T1505.001;db_anomalous_query.yml,file_event_win_cve_2023_27363_foxit_rce.yml
command-and-control;T1568.002;net_connection_lnx_ngrok_tunnel.yml,net_connection_win_domain_ngrok_tunnel.yml
command-and-control;T1090.002;win_security_rdp_reverse_tunnel.yml
command-and-control;T1090;opencanary_httpproxy_login_attempt.yml,azure_identity_protection_malicious_ip_address.yml,azure_identity_protection_malicious_ip_address_suspicious.yml,azure_identity_protection_malware_linked_ip.yml,net_connection_lnx_ngrok_tunnel.yml,proc_creation_lnx_proxy_connection.yml,win_terminalservices_rdp_ngrok.yml,net_connection_win_domain_ngrok_tunnel.yml,posh_ps_susp_proxy_scripts.yml,proc_creation_win_cloudflared_tunnel_cleanup.yml,proc_creation_win_cloudflared_tunnel_run.yml,proc_creation_win_hktl_htran_or_natbypass.yml,proc_creation_win_netsh_port_forwarding.yml,proc_creation_win_netsh_port_forwarding_3389.yml,proc_creation_win_pua_frp.yml,proc_creation_win_pua_iox.yml,proc_creation_win_pua_nps.yml,registry_event_portproxy_registry_key.yml
command-and-control;T1568;proxy_download_susp_dyndns.yml
command-and-control;T1102;net_connection_lnx_ngrok_tunnel.yml,net_connection_win_domain_ngrok_tunnel.yml,net_connection_win_notion_api_susp_communication.yml,net_connection_win_susp_dead_drop_resolvers.yml,net_connection_win_susp_google_api_non_browser_access.yml,net_connection_win_telegram_api_non_browser_access.yml,proc_creation_win_cloudflared_tunnel_cleanup.yml,proc_creation_win_cloudflared_tunnel_run.yml,proc_creation_win_java_manageengine_susp_child_process.yml
command-and-control;T1104;proc_creation_win_powershell_susp_ps_downloadfile.yml
command-and-control;T1102.003;proxy_pwndrop.yml,proxy_raw_paste_service_access.yml
command-and-control;T1102.002;net_dns_susp_telegram_api.yml,proxy_telegram_api.yml
command-and-control;T1001.003;win_security_susp_ldap_dataexchange.yml,file_event_win_adsi_cache_creation_by_uncommon_tool.yml
command-and-control;T1008;file_event_win_office_outlook_macro_creation.yml,file_event_win_office_outlook_susp_macro_creation.yml,registry_set_office_outlook_enable_load_macro_provider_on_boot.yml,registry_set_office_outlook_enable_macro_execution.yml
command-and-control;T1102.001;proxy_pwndrop.yml,proxy_raw_paste_service_access.yml,net_connection_win_susp_dead_drop_resolvers.yml
collection;T1557;cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,proc_creation_win_secedit_execution.yml
collection;T1114;microsoft365_pst_export_alert.yml,microsoft365_pst_export_alert_using_new_compliancesearchaction.yml,win_security_alert_ruler.yml,proc_creation_win_powershell_snapins_hafnium.yml
collection;T1185;proc_creation_win_browsers_chromium_headless_debugging.yml,proc_creation_win_browsers_remote_debugging.yml
collection;T1074;gcp_full_network_traffic_packet_capture.yml,cisco_cli_moving_data.yml
collection;T1056;proxy_susp_ipfs_cred_harvest.yml,dns_query_win_onelaunch_update_service.yml
collection;T1213.003;bitbucket_audit_full_data_export_triggered.yml,bitbucket_audit_unauthorized_full_data_export_triggered.yml,github_delete_action_invoked.yml,github_outside_collaborator_detected.yml,github_self_hosted_runner_changes_detected.yml
collection;T1213;opencanary_git_clone_request.yml,opencanary_mssql_login_sqlauth.yml,opencanary_mssql_login_winauth.yml,opencanary_mysql_login_attempt.yml,opencanary_redis_command.yml,bitbucket_audit_user_details_export_attempt_detected.yml,bitbucket_audit_user_permissions_export_attempt_detected.yml
lateral-movement;T1550;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,win_security_susp_logon_newcredentials.yml
lateral-movement;T1021;opencanary_ftp_login_attempt.yml,opencanary_smb_file_open.yml,opencanary_snmp_cmd.yml,opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connection.yml,opencanary_vnc_connection_attempt.yml,proc_creation_win_susp_priv_escalation_via_named_pipe.yml,proc_creation_win_susp_remote_desktop_tunneling.yml,proc_creation_win_sysinternals_psexec_execution.yml
lateral-movement;T1021.007;aws_console_getsignintoken.yml
lateral-movement;T1210;zeek_http_omigod_no_auth_rce.yml,web_apache_threading_error.yml,win_audit_cve.yml,win_security_rdp_bluekeep_poc_scanner.yml,win_system_possible_zerologon_exploitation_using_wellknown_tools.yml,win_system_rdp_potential_cve_2019_0708.yml,proc_creation_win_java_sysaidserver_susp_child_process.yml,proc_creation_win_svchost_termserv_proc_spawn.yml,proc_creation_win_malware_wannacry.yml,win_exchange_cve_2021_42321.yml,web_cve_2023_46214_rce_splunk_enterprise.yml,web_cve_2023_46214_rce_splunk_enterprise_poc.yml
lateral-movement;T1550.001;aws_console_getsignintoken.yml,aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml
credential-access;T1557;cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,proc_creation_win_secedit_execution.yml
credential-access;T1555.005;create_remote_thread_win_keepass.yml
credential-access;T1558;av_password_dumper.yml,win_security_replay_attack_detected.yml,file_event_win_hktl_mimikatz_files.yml,net_connection_win_susp_outbound_kerberos_connection.yml
credential-access;T1606;azure_identity_protection_token_issuer_anomaly.yml
credential-access;T1621;azure_mfa_denies.yml,azure_mfa_interrupted.yml
credential-access;T1212;lnx_guacamole_susp_guacamole.yml,win_audit_cve.yml,win_security_susp_kerberos_manipulation.yml,proc_creation_win_rundll32_ntlmrelay.yml,proc_creation_win_apt_gallium_iocs.yml
credential-access;T1110;azure_identity_protection_password_spray.yml,azure_account_lockout.yml,azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml,azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml,azure_ad_suspicious_signin_bypassing_mfa.yml,azure_conditional_access_failure.yml,azure_legacy_authentication_protocols.yml,azure_mfa_denies.yml,azure_mfa_interrupted.yml,azure_user_login_blocked_by_conditional_access.yml,bitbucket_audit_user_login_failure_detected.yml,bitbucket_audit_user_login_failure_via_ssh_detected.yml,cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,proxy_ua_hacktool.yml,win_mssql_failed_logon.yml,win_mssql_failed_logon_from_external_network.yml,win_susp_ntlm_brute_force.yml,win_security_successful_external_remote_rdp_login.yml,win_security_successful_external_remote_smb_login.yml,proc_creation_win_hktl_crackmapexec_execution.yml,proc_creation_win_hktl_hydra.yml
credential-access;T1556.006;azure_ad_only_single_factor_auth_required.yml,okta_mfa_reset_or_deactivated.yml
credential-access;T1056;proxy_susp_ipfs_cred_harvest.yml,dns_query_win_onelaunch_update_service.yml
credential-access;T1556;aws_sso_idp_change.yml,azure_mfa_disabled.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_ad_certificate_based_authencation_enabled.yml,azure_ad_new_root_ca_added.yml,azure_change_to_authentication_method.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,github_disable_high_risk_configuration.yml,microsoft365_disabling_mfa.yml,win_security_susp_possible_shadow_credentials_added.yml
discovery;T1069;posh_pm_malicious_commandlets.yml,posh_ps_malicious_commandlets.yml,proc_creation_win_powershell_malicious_cmdlets.yml
discovery;T1069.003;kubernetes_audit_rbac_permisions_listing.yml
discovery;T1087;rpc_firewall_sharphound_recon_account.yml,win_security_alert_ruler.yml,posh_pm_malicious_commandlets.yml,posh_ps_malicious_commandlets.yml,proc_creation_win_hktl_winpeas.yml,proc_creation_win_nslookup_domain_discovery.yml,proc_creation_win_powershell_malicious_cmdlets.yml,proc_creation_win_pua_seatbelt.yml,proc_creation_win_sysinternals_psloglist.yml,proc_creation_win_webshell_chopper.yml,proc_creation_win_webshell_hacking.yml,proc_creation_win_webshell_recon_commands_and_processes.yml,proc_creation_win_malware_pikabot_discovery.yml
discovery;T1087.004;kubernetes_audit_rbac_permisions_listing.yml,azure_ad_azurehound_discovery.yml
resource-development;T1587.001;win_exchange_proxylogon_oabvirtualdir.yml,file_event_win_office_uncommon_file_startup.yml,file_event_win_vhd_download_via_browsers.yml,proc_creation_win_pua_csexec.yml,proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml,proc_creation_win_sysinternals_psexec_remote_execution.yml,proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml,proc_creation_win_malware_formbook.yml,proc_creation_win_apt_mustangpanda.yml,proc_creation_win_malware_conti.yml,file_event_win_susp_binary_dropper.yml
resource-development;T1586.003;okta_suspicious_activity_enduser_report.yml
resource-development;T1588.001;lnx_clamav_relevant_message.yml
resource-development;T1584;lnx_auditd_susp_exe_folders.yml,proxy_webdav_external_execution.yml,win_system_susp_system_update_error.yml,file_event_win_webdav_tmpfile_creation.yml
resource-development;T1586;bitbucket_audit_unauthorized_access_detected.yml,bitbucket_audit_unauthorized_full_data_export_triggered.yml
resource-development;T1608;proc_creation_win_susp_download_office_domain.yml,registry_event_hybridconnectionmgr_svc_installation.yml
resource-development;T1588.002;proc_creation_win_hktl_execution_via_imphashes.yml,proc_creation_win_hktl_execution_via_pe_metadata.yml,proc_creation_win_renamed_sysinternals_debugview.yml,proc_creation_win_sysinternals_eula_accepted.yml,registry_add_pua_sysinternals_execution_via_eula.yml,registry_add_pua_sysinternals_renamed_execution_via_eula.yml,registry_add_pua_sysinternals_susp_execution_via_eula.yml,registry_set_renamed_sysinternals_eula_accepted.yml,registry_set_susp_keyboard_layout_load.yml
resource-development;T1588;av_relevant_files.yml,win_av_relevant_match.yml
resource-development;T1587;lnx_auditd_susp_exe_folders.yml,proc_creation_lnx_susp_hktl_execution.yml,proc_creation_win_hktl_purplesharp_indicators.yml,file_event_win_cve_2021_1675_printspooler.yml,file_event_win_exploit_cve_2021_40444.yml,image_load_malware_foggyweb_nobelium.yml
reconnaissance;T1590.002;win_dns_server_failed_dns_zone_transfer.yml
reconnaissance;T1589;azure_identity_protection_leaked_credentials.yml,lnx_sshd_ssh_cve_2018_15473.yml
reconnaissance;T1595.002;net_dns_external_service_interaction_domains.yml
reconnaissance;T1595;proc_creation_win_pua_pingcastle.yml,proc_creation_win_pua_pingcastle_script_parent.yml
reconnaissance;T1593.003;proc_creation_lnx_susp_git_clone.yml,proc_creation_win_git_susp_clone.yml
reconnaissance;T1592.004;proc_creation_lnx_cat_sudoers.yml,proc_creation_lnx_susp_history_recon.yml,proc_creation_lnx_susp_recon_indicators.yml
reconnaissance;T1590;proxy_pua_advanced_ip_scanner_update_check.yml,dns_query_win_susp_external_ip_lookup.yml
reconnaissance;T1591.004;bitbucket_audit_user_details_export_attempt_detected.yml,bitbucket_audit_user_permissions_export_attempt_detected.yml
reconnaissance;T1590.001;proc_creation_win_pua_crassus.yml
impact;T1561.002;cisco_cli_file_deletion.yml
impact;T1499.001;win_system_ntfs_vuln_exploit.yml
impact;T1565.001;azure_device_or_configuration_modified_or_deleted.yml,azure_dns_zone_modified_or_deleted.yml,lnx_clear_syslog.yml,proc_creation_lnx_susp_history_delete.yml,proc_creation_lnx_susp_sensitive_file_access.yml,cisco_cli_dos.yml
impact;T1499.004;web_apache_segfault.yml,web_nginx_core_dump.yml,win_audit_cve.yml
impact;T1565;aws_ec2_disable_encryption.yml,gcp_dlp_re_identifies_sensitive_information.yml,posh_ps_add_dnsclient_rule.yml
impact;T1565.002;cisco_cli_modify_config.yml
impact;T1498;kubernetes_audit_deployment_deleted.yml,opencanary_ntp_monlist.yml,proc_creation_win_malware_blackbyte_ransomware.yml
impact;T1495;cisco_cli_dos.yml
impact;T1561.001;cisco_cli_file_deletion.yml
initial-access;T1195.001;github_disabled_outdated_dependency_or_vulnerability.yml,file_event_win_mal_octopus_scanner.yml
initial-access;T1566.002;proc_creation_macos_susp_execution_macos_script_editor.yml
initial-access;T1190;appframework_django_exceptions.yml,java_jndi_injection_exploitation_attempt.yml,java_local_file_read.yml,java_ognl_injection_exploitation_attempt.yml,java_rce_exploitation_attempt.yml,java_xxe_exploitation_attempt.yml,nodejs_rce_exploitation_attempt.yml,opencanary_ftp_login_attempt.yml,opencanary_http_get.yml,opencanary_http_post_login_attempt.yml,app_python_sql_exceptions.yml,appframework_ruby_on_rails_exceptions.yml,spring_application_exceptions.yml,spring_spel_injection.yml,app_sqlinjection_errors.yml,velocity_ssti_injection.yml,db_anomalous_query.yml,lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml,lnx_sshd_susp_ssh.yml,lnx_syslog_susp_named.yml,lnx_vsftpd_susp_error_messages.yml,proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml,proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml,proc_creation_lnx_omigod_scx_runasprovider_executescript.yml,proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml,net_dns_external_service_interaction_domains.yml,zeek_http_omigod_no_auth_rce.yml,web_apache_threading_error.yml,proxy_f5_tm_utility_bash_api_request.yml,proxy_ua_hacktool.yml,web_f5_tm_utility_bash_api_request.yml,web_iis_tilt_shortname_scan.yml,web_java_payload_in_access_logs.yml,web_jndi_exploit.yml,web_path_traversal_exploitation_attempt.yml,web_sql_injection_in_access_logs.yml,web_susp_useragents.yml,win_security_susp_failed_logon_source.yml,file_event_win_exchange_webshell_drop_suspicious.yml,file_event_win_susp_exchange_aspx_write.yml,proc_creation_win_mssql_susp_child_process.yml,proc_creation_win_remote_access_tools_screenconnect_webshell.yml,proc_creation_win_svchost_termserv_proc_spawn.yml,proc_creation_win_webshell_susp_process_spawned_from_webserver.yml,proc_creation_win_winrm_susp_child_process.yml,web_cve_2010_5278_exploitation_attempt.yml,web_cve_2014_6287_hfs_rce.yml,web_cve_2018_13379_fortinet_preauth_read_exploit.yml,web_cve_2018_2894_weblogic_exploit.yml,web_cve_2019_11510_pulsesecure_exploit.yml,web_cve_2019_19781_citrix_exploit.yml,web_cve_2019_3398_confluence.yml,web_cve_2020_0688_exchange_exploit.yml,web_cve_2020_0688_msexchange.yml,win_vul_cve_2020_0688.yml,web_cve_2020_10148_solarwinds_exploit.yml,proc_creation_win_exploit_cve_2020_10189.yml,proc_creation_win_exploit_cve_2020_1350.yml,web_cve_2020_14882_weblogic_exploit.yml,web_cve_2020_28188_terramaster_rce_exploit.yml,web_cve_2020_3452_cisco_asa_ftd.yml,web_cve_2020_5902_f5_bigip.yml,web_cve_2020_8193_8195_citrix_exploit.yml,web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml,web_cve_2021_2109_weblogic_rce_exploit.yml,web_cve_2021_21972_vsphere_unauth_rce_exploit.yml,web_cve_2021_21978_vmware_view_planner_exploit.yml,web_cve_2021_22005_vmware_file_upload.yml,web_cve_2021_22123_fortinet_exploit.yml,web_cve_2021_22893_pulse_secure_rce_exploit.yml,proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml,web_cve_2021_26084_confluence_rce_exploit.yml,web_cve_2021_26814_wzuh_rce.yml,web_cve_2021_26858_iis_rce.yml,web_cve_2021_27905_apache_solr_exploit.yml,web_cve_2021_28480_exchange_exploit.yml,web_cve_2021_33766_msexchange_proxytoken.yml,web_cve_2021_40539_adselfservice.yml,web_cve_2021_40539_manageengine_adselfservice_exploit.yml,win_vul_cve_2021_41379.yml,web_cve_2021_41773_apache_path_traversal.yml,web_cve_2021_42237_sitecore_report_ashx.yml,web_cve_2021_43798_grafana.yml,web_cve_2021_44228_log4j.yml,web_cve_2021_44228_log4j_fields.yml,web_exchange_proxyshell.yml,web_sonicwall_jarrewrite_exploit.yml,web_exchange_exploitation_hafnium.yml,web_cve_2022_21587_oracle_ebs.yml,proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml,web_cve_2022_27925_exploit.yml,web_cve_2022_31656_auth_bypass.yml,web_cve_2022_31659_vmware_rce.yml,web_cve_2022_33891_spark_shell_command_injection.yml,web_cve_2022_36804_atlassian_bitbucket_command_injection.yml,proxy_cve_2022_36804_exchange_owassrf_exploitation.yml,proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml,web_cve_2022_36804_exchange_owassrf_exploitation.yml,web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml,web_cve_2022_44877_exploitation_attempt.yml,web_cve_2022_46169_cacti_exploitation_attempt.yml,proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml,proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml,proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml,web_exploit_cve_2023_22518_confluence_auth_bypass.yml,lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml,web_cve_2023_23752_joomla_exploit_attempt.yml,web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml,web_cve_2023_27997_pre_authentication_rce.yml,file_event_win_exploit_cve_2023_34362_moveit_transfer.yml,proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml,web_exploit_cve_2023_43261_milesight_information_disclosure.yml,proxy_cve_2023_46747_f5_remote_code_execution.yml,web_cve_2023_46747_f5_remote_code_execution.yml,proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml,proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml,web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml,web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml,proc_creation_win_exploit_other_win_server_undocumented_rce.yml
initial-access;T1199;microsoft365_user_restricted_from_sending_email.yml
initial-access;T1566;okta_fastpass_phishing_detection.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,proxy_download_susp_tlds_blacklist.yml,proxy_download_susp_tlds_whitelist.yml,proxy_webdav_external_execution.yml,file_event_win_initial_access_dll_search_order_hijacking.yml,proc_creation_win_hh_html_help_susp_child_process.yml,proc_creation_win_hh_susp_execution.yml,proc_creation_win_office_onenote_susp_child_processes.yml,proc_creation_win_susp_archiver_iso_phishing.yml,file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml,registry_set_cve_2021_31979_cve_2021_33771_exploits.yml,file_event_win_webdav_tmpfile_creation.yml
initial-access;T1078;opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connection.yml,opencanary_telnet_login_attempt.yml,aws_susp_saml_activity.yml,azure_ad_user_added_to_admin_role.yml,azure_kubernetes_admission_controller.yml,azure_ad_account_created_deleted.yml,azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml,azure_federation_modified.yml,azure_pim_alerts_disabled.yml,azure_subscription_permissions_elevation_via_auditlogs.yml,azure_identity_protection_anonymous_ip_activity.yml,azure_identity_protection_atypical_travel.yml,azure_identity_protection_impossible_travel.yml,azure_identity_protection_new_coutry_region.yml,azure_identity_protection_suspicious_browser.yml,azure_identity_protection_threat_intel.yml,azure_identity_protection_unfamilar_sign_in.yml,azure_pim_account_stale.yml,azure_pim_invalid_license.yml,azure_pim_role_assigned_outside_of_pim.yml,azure_pim_role_frequent_activation.yml,azure_pim_role_not_used.yml,azure_pim_role_no_mfa_required.yml,azure_pim_too_many_global_admins.yml,azure_ad_auth_failure_increase.yml,azure_ad_auth_sucess_increase.yml,azure_ad_auth_to_important_apps_using_single_factor_auth.yml,azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml,azure_app_device_code_authentication.yml,azure_app_ropc_authentication.yml,azure_unusual_authentication_interruption.yml,gcp_kubernetes_admission_controller.yml,microsoft365_impossible_travel_activity.yml,microsoft365_logon_from_risky_ip_address.yml,proc_creation_macos_dsenableroot_enable_root_account.yml,proc_creation_macos_sysadminctl_enable_guest_account.yml,cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,win_security_susp_computer_name.yml,win_security_susp_failed_logon_reasons.yml,win_security_susp_logon_explicit_credentials.yml,win_security_user_added_to_local_administrators.yml,win_security_successful_external_remote_rdp_login.yml,win_security_successful_external_remote_smb_login.yml,win_security_susp_failed_logon_source.yml,posh_pm_susp_reset_computermachinepassword.yml,proc_creation_win_net_use_password_plaintext.yml
initial-access;T1078.002;win_security_admin_rdp_login.yml
initial-access;T1200;win_usb_device_plugged.yml,win_security_device_installation_blocked.yml,win_security_external_device.yml
initial-access;T1189;proc_creation_macos_susp_browser_child_process.yml,proxy_susp_flash_download_loc.yml,web_xss_in_access_logs.yml
exfiltration;T1567;net_connection_lnx_ngrok_tunnel.yml,proc_creation_lnx_susp_curl_fileupload.yml,net_dns_pua_cryptocoin_mining_xmr.yml,net_connection_win_domain_ngrok_tunnel.yml,proc_creation_win_configsecuritypolicy_download_file.yml,proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml,proc_creation_win_curl_fileupload.yml
exfiltration;T1048.001;proc_creation_win_dns_exfiltration_tools_execution.yml
exfiltration;T1567.001;net_connection_win_domain_mega_nz.yml,net_connection_win_domain_ngrok.yml,net_connection_win_susp_devtunnel_connection.yml,net_connection_win_vscode_tunnel_connection.yml
exfiltration;T1537;aws_ec2_vm_export_failure.yml,aws_s3_data_management_tampering.yml,aws_snapshot_backup_exfiltration.yml,microsoft365_data_exfiltration_to_unsanctioned_app.yml