attack_rule_map.json

[{"tech_id":"T1046","atomic_attack_guid":"68e907da-2539-48f6-9fc9-257a78c05540","atomic_attack_name":"Port Scan","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Network Service Scanning","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"9d04efee-eff5-4240-b8d2-07792b873608","atomic_attack_name":"Packet Capture macOS using tcpdump or tshark","platform":"macOS","sigma_rules":[{"rule_name":"Network Sniffing - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml"}],"splunk_rules":[]},{"tech_id":"T1037.005","atomic_attack_guid":"10cf5bec-49dd-4ebf-8077-8f47e420096f","atomic_attack_name":"Add launch script to launch agent","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Scripting Interpreter AppleScript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"},{"rule_name":"Launch Agent/Daemon Execution Via Launchctl","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1037.005","atomic_attack_guid":"fc369906-90c7-4a15-86fd-d37da624dde6","atomic_attack_name":"Add launch script to launch daemon","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Scripting Interpreter AppleScript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"},{"rule_name":"Launch Agent/Daemon Execution Via Launchctl","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1033","atomic_attack_guid":"2a9b677d-a230-44f4-ad86-782df1ef108c","atomic_attack_name":"System Owner/User Discovery","platform":"macOS","sigma_rules":[{"rule_name":"System Network Connections Discovery - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1030","atomic_attack_guid":"ab936c51-10f4-46ce-9144-e02137b2016a","atomic_attack_name":"Data Transfer Size Limits","platform":"macOS","sigma_rules":[{"rule_name":"Split A File Into Pieces","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml"}],"splunk_rules":[]},{"tech_id":"T1027.001","atomic_attack_guid":"e22a9e89-69c7-410f-a473-e6c212cd2292","atomic_attack_name":"Pad Binary to Change Hash using truncate command - Linux/macOS","platform":"macOS","sigma_rules":[{"rule_name":"Binary Padding - MacOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"}],"splunk_rules":[]},{"tech_id":"T1027.001","atomic_attack_guid":"ffe2346c-abd5-4b45-a713-bf5f1ebd573a","atomic_attack_name":"Pad Binary to Change Hash - Linux/macOS dd","platform":"macOS","sigma_rules":[{"rule_name":"Binary Padding - MacOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"}],"splunk_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"f45df6be-2e1e-4136-a384-8f18ab3826fb","atomic_attack_name":"Decode base64 Data into Script","platform":"macOS","sigma_rules":[{"rule_name":"Decode Base64 Encoded Text -MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml"}],"splunk_rules":[]},{"tech_id":"T1021.005","atomic_attack_guid":"8a930abe-841c-4d4f-a877-72e9fe90b9ea","atomic_attack_name":"Enable Apple Remote Desktop Agent","platform":"macOS","sigma_rules":[{"rule_name":"System Information Discovery Using sw_vers","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml"},{"rule_name":"Local System Accounts Discovery - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_local_account.yml"},{"rule_name":"Launch Agent/Daemon Execution Via Launchctl","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"},{"rule_name":"Creation Of A Local User Account","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_create_account.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"96db2632-8417-4dbb-b8bb-a8b92ba391de","atomic_attack_name":"Remote System Discovery - sweep","platform":"macOS","sigma_rules":[{"rule_name":"Macos Remote System Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"acb6b1ff-e2ad-4d64-806c-6c35fe73b951","atomic_attack_name":"Remote System Discovery - arp nix","platform":"macOS","sigma_rules":[{"rule_name":"System Network Discovery - macOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml"},{"rule_name":"Macos Remote System Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"ff1d8c25-2aa4-4f18-a425-fede4a41ee88","atomic_attack_name":"List macOS Firewall Rules","platform":"macOS","sigma_rules":[{"rule_name":"System Network Discovery - macOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"c141bbdb-7fca-4254-9fd6-f47e79447e17","atomic_attack_name":"System Network Configuration Discovery","platform":"macOS","sigma_rules":[{"rule_name":"System Network Discovery - macOS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml"},{"rule_name":"Macos Remote System Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml"},{"rule_name":"System Network Connections Discovery - MacOs","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1005","atomic_attack_guid":"cfb6d400-a269-4c06-a347-6d88d584d5f7","atomic_attack_name":"Copy Apple Notes database files using AppleScript","platform":"macOS","sigma_rules":[{"rule_name":"MacOS Scripting Interpreter AppleScript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"}],"splunk_rules":[]},{"tech_id":"T1003","atomic_attack_guid":"42510244-5019-48fa-a0e5-66c3b76e6049","atomic_attack_name":"Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)","platform":"Windows","sigma_rules":[{"rule_name":"Microsoft IIS Service Account Password Dumped","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml"}],"splunk_rules":[]},{"tech_id":"T1003","atomic_attack_guid":"84113186-ed3c-4d0d-8a3c-8980c86c1f4a","atomic_attack_name":"Dump Credential Manager using keymgr.dll and rundll32.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Key Manager Access","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1003","atomic_attack_guid":"0b207037-813c-4444-ac3f-b597cf280a67","atomic_attack_name":"Send NTLM Hash with RPC Test Connection","platform":"Windows","sigma_rules":[{"rule_name":"Capture Credentials with Rpcping.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"},{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"0be2230c-9ab3-4ac2-8826-3199b9a0ebf8","atomic_attack_name":"Dump LSASS.exe Memory using ProcDump","platform":"Windows","sigma_rules":[{"rule_name":"Renamed ProcDump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Potential LSASS Process Dump Via Procdump","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"},{"rule_name":"Procdump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"2536dee2-12fb-459a-8c37-971844fa73be","atomic_attack_name":"Dump LSASS.exe Memory using comsvcs.dll","platform":"Windows","sigma_rules":[{"rule_name":"Process Memory Dump Via Comsvcs.DLL","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"},{"rule_name":"PowerShell Get-Process LSASS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"PowerShell Get-Process LSASS in ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"dddd4aca-bbed-46f0-984d-e4c5971c51ea","atomic_attack_name":"Dump LSASS.exe Memory using NanoDump","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"453acf13-1dbd-47d7-b28a-172ce9228023","atomic_attack_name":"Offline Credential Theft With Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Operator Bloopers Cobalt Strike Commands","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"7cede33f-0acd-44ef-9774-15511300b24b","atomic_attack_name":"Create Mini Dump of LSASS.exe using ProcDump","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"},{"rule_name":"Procdump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"},{"rule_name":"Potential LSASS Process Dump Via Procdump","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"86fc3f40-237f-4701-b155-81c01c48d697","atomic_attack_name":"Dump LSASS.exe using imported Microsoft DLLs","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - XORDump Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml"},{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"eb5adf16-b601-4926-bca7-dad22adffb37","atomic_attack_name":"Dump LSASS.exe Memory through Silent Process Exit","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.003","atomic_attack_guid":"2364e33d-ceab-4641-8468-bfb1d7cc2723","atomic_attack_name":"Dump Active Directory Database with NTDSUtil","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Process Patterns NTDS.DIT Exfil","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"}],"splunk_rules":[]},{"tech_id":"T1003.003","atomic_attack_guid":"542bb97e-da53-436b-8e43-e0a7d31a6c24","atomic_attack_name":"Create Volume Shadow Copy with Powershell","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"},{"rule_name":"Create Volume Shadow Copy with Powershell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1003.005","atomic_attack_guid":"56506854-89d6-46a3-9804-b7fde90791f9","atomic_attack_name":"Cached Credential Dump via Cmdkey","platform":"Windows","sigma_rules":[{"rule_name":"Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml"}],"splunk_rules":[]},{"tech_id":"T1003.006","atomic_attack_guid":"a0bced08-3fc5-4d8b-93b7-e8344739376e","atomic_attack_name":"Run DSInternals Get-ADReplAccount","platform":"Windows","sigma_rules":[{"rule_name":"DSInternals Suspicious PowerShell Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml"},{"rule_name":"Suspicious Get-ADReplAccount","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1007","atomic_attack_guid":"89676ba1-b1f8-47ee-b940-2e1a113ebc71","atomic_attack_name":"System Service Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1007","atomic_attack_guid":"5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3","atomic_attack_name":"System Service Discovery - net.exe","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"970ab6a1-0157-4f3f-9a73-ec4166754b23","atomic_attack_name":"System Network Configuration Discovery on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Network Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml"}],"splunk_rules":[]},{"tech_id":"T1016","atomic_attack_guid":"dafaf052-5508-402d-bf77-51e0700c02e2","atomic_attack_name":"System Network Configuration Discovery (TrickBot Style)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Network Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml"},{"rule_name":"Potential Recon Activity Via Nltest.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"},{"rule_name":"Nltest.EXE Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1016.002","atomic_attack_guid":"53cf1903-0fa7-4177-ab14-f358ae809eec","atomic_attack_name":"Enumerate Stored Wi-Fi Profiles And Passwords via netsh","platform":"Windows","sigma_rules":[{"rule_name":"Harvesting Of Wifi Credentials Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"6db1f57f-d1d5-4223-8a66-55c9c65a9592","atomic_attack_name":"Remote System Discovery - ping sweep","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Scan Loop Network","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"64ede6ac-b57a-41c2-a7d1-32c6cd35397d","atomic_attack_name":"Enumerate Active Directory Computers with ADSISearcher","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[{"rule_name":"Remote System Discovery with Adsisearcher","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_system_discovery_with_adsisearcher.yml"}]},{"tech_id":"T1018","atomic_attack_guid":"b8147c9a-84db-4ec1-8eee-4e0da75f0de5","atomic_attack_name":"Enumerate Remote Hosts with Netscan","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1021.001","atomic_attack_guid":"74ace21e-a31c-4f7d-b540-53e4eb6d1f73","atomic_attack_name":"Changing RDP Port to Non Standard Port via Command_Prompt","platform":"Windows","sigma_rules":[{"rule_name":"New Firewall Rule Added Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml"},{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"},{"rule_name":"Publicly Accessible RDP Service","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml"}],"splunk_rules":[]},{"tech_id":"T1021.001","atomic_attack_guid":"01d1c6c0-faf0-408e-b368-752a02285cb2","atomic_attack_name":"Disable NLA for RDP via Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"},{"rule_name":"Publicly Accessible RDP Service","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml"}],"splunk_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"e2d85e66-cb66-4ed7-93b1-833fc56c9319","atomic_attack_name":"DLP Evasion via Sensitive Data in VBA Macro over HTTP","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"fad04df1-5229-4185-b016-fb6010cd87ac","atomic_attack_name":"Execution from Compressed JScript File","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1033","atomic_attack_guid":"4c4959bf-addf-4b4a-be86-8d09cc1857aa","atomic_attack_name":"System Owner/User Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Recon Command Output Piped To Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"},{"rule_name":"Whoami.EXE Execution With Output Option","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml"},{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}]},{"tech_id":"T1036.003","atomic_attack_guid":"5ba5a3d1-cf3c-4499-968a-a93155d1f717","atomic_attack_name":"Masquerading as Windows LSASS process","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Binary Rename","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"3a2a578b-0a01-46e4-92e3-62e2859b42f0","atomic_attack_name":"Masquerading - cscript.exe running as notepad.exe","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Rename Of Highly Relevant Binaries","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa","atomic_attack_name":"Masquerading - powershell.exe running as taskhostw.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Rename Of Highly Relevant Binaries","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"83810c46-f45e-4485-9ab6-8ed0e9e6ed7f","atomic_attack_name":"Malicious process Masquerading as LSM.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Binary Rename","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml"}],"splunk_rules":[]},{"tech_id":"T1036.004","atomic_attack_guid":"b721c6ef-472c-4263-a0d9-37f1f4ecff66","atomic_attack_name":"Creating W32Time similar named service using sc","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[]},{"tech_id":"T1036.007","atomic_attack_guid":"c7fa0c3b-b57f-4cba-9118-863bf4e653fc","atomic_attack_name":"File Extension Masquerading","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Suspicious Double Extension Files","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1037.001","atomic_attack_guid":"d6042746-07d4-4c92-9ad8-e644c114a231","atomic_attack_name":"Logon Scripts","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Via Logon Scripts - CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Potential Persistence Via Logon Scripts - Registry","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml"}],"splunk_rules":[]},{"tech_id":"T1039","atomic_attack_guid":"6ed67921-1774-44ba-bac6-adb51ed60660","atomic_attack_name":"Copy a sensitive File over Administrative share with copy","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"}],"splunk_rules":[]},{"tech_id":"T1039","atomic_attack_guid":"7762e120-5879-44ff-97f8-008b401b9a98","atomic_attack_name":"Copy a sensitive File over Administrative share with Powershell","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"b5656f67-d67f-4de8-8e62-b5581630f528","atomic_attack_name":"Windows Internal Packet Capture","platform":"Windows","sigma_rules":[{"rule_name":"New Network Trace Capture Started Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"855fb8b4-b8ab-4785-ae77-09f5df7bff55","atomic_attack_name":"Windows Internal pktmon set filter","platform":"Windows","sigma_rules":[{"rule_name":"PktMon.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1047","atomic_attack_guid":"5750aa16-0e59-4410-8b9a-8a47ca2788e2","atomic_attack_name":"WMI Reconnaissance Processes","platform":"Windows","sigma_rules":[{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"}],"splunk_rules":[]},{"tech_id":"T1047","atomic_attack_guid":"718aebaa-d0e0-471a-8241-c5afa69c7414","atomic_attack_name":"WMI Reconnaissance Software","platform":"Windows","sigma_rules":[{"rule_name":"Windows Hotfix Updates Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml"}],"splunk_rules":[]},{"tech_id":"T1053.002","atomic_attack_guid":"4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8","atomic_attack_name":"At.exe Scheduled task","platform":"Windows","sigma_rules":[{"rule_name":"Interactive AT Job","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1053.005","atomic_attack_guid":"42f53695-ad4a-4546-abb6-7d837f644a71","atomic_attack_name":"Scheduled task Local","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Schtasks Schedule Types","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","atomic_attack_guid":"e895677d-4f06-49ab-91b6-ae3742d0a2ba","atomic_attack_name":"Scheduled Task Executing Base64 Encoded Commands From Registry","platform":"Windows","sigma_rules":[{"rule_name":"Scheduled Task Executing Encoded Payload from Registry","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Command Patterns In Scheduled Task Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1055","atomic_attack_guid":"3203ad24-168e-4bec-be36-f79b13ef8a83","atomic_attack_name":"Remote Process Injection in LSASS via mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[]},{"tech_id":"T1055","atomic_attack_guid":"2871ed59-3837-4a52-9107-99500ebc87cb","atomic_attack_name":"Process Injection with Go using CreateThread WinAPI","platform":"Windows","sigma_rules":[{"rule_name":"Potential WinAPI Calls Via CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml"}],"splunk_rules":[]},{"tech_id":"T1055","atomic_attack_guid":"2a3c7035-d14f-467a-af94-933e49fe6786","atomic_attack_name":"Process Injection with Go using CreateThread WinAPI (Natively)","platform":"Windows","sigma_rules":[{"rule_name":"Potential WinAPI Calls Via CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml"}],"splunk_rules":[]},{"tech_id":"T1056.001","atomic_attack_guid":"d9b633ca-8efb-45e6-b838-70f595c6ae26","atomic_attack_name":"Input Capture","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"Powershell Keylogging","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml"}],"splunk_rules":[]},{"tech_id":"T1056.004","atomic_attack_guid":"de1934ea-1fbf-425b-8795-65fb27dd7e33","atomic_attack_name":"Hook PowerShell TLS Encrypt/Decrypt Messages","platform":"Windows","sigma_rules":[{"rule_name":"Mavinject Inject DLL Into Running Process","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"}],"splunk_rules":[]},{"tech_id":"T1057","atomic_attack_guid":"c5806a4f-62b8-4900-980b-c7ec004e9908","atomic_attack_name":"Process Discovery - tasklist","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1057","atomic_attack_guid":"640cbf6d-659b-498b-ba53-f6dd1a1cc02c","atomic_attack_name":"Process Discovery - wmic process","platform":"Windows","sigma_rules":[{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"}],"splunk_rules":[]},{"tech_id":"T1057","atomic_attack_guid":"11ba69ee-902e-4a0f-b3b6-418aed7d7ddb","atomic_attack_name":"Discover Specific Process - tasklist","platform":"Windows","sigma_rules":[{"rule_name":"LSASS Process Reconnaissance Via Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml"},{"rule_name":"Recon Command Output Piped To Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"},{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1059.001","atomic_attack_guid":"af1800cf-9f9d-4fd1-a709-14b1e6de020d","atomic_attack_name":"Mimikatz - Cradlecraft PsSendKeys","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Keywords","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml"},{"rule_name":"Malicious PowerShell Scripts - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Potential PowerShell Command Line Obfuscation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Windows PowerShell Script Block With Malicious String","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml"},{"rule_name":"Detect Mimikatz With PowerShell Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"a538de64-1c74-46ed-aa60-b995ed302598","atomic_attack_name":"PowerShell Command Execution","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"49eb9404-5e0f-4031-a179-b40f7be385e3","atomic_attack_name":"PowerShell Invoke Known Malicious Cmdlets","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Keywords","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.003","atomic_attack_guid":"127b4afe-2346-4192-815c-69042bec570e","atomic_attack_name":"Writes text to a file and displays it.","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1059.003","atomic_attack_guid":"df81db1b-066c-4802-9bc8-b6d030c3ba8e","atomic_attack_name":"Command Prompt read contents from CMD file and execute","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"}],"splunk_rules":[]},{"tech_id":"T1059.003","atomic_attack_guid":"00682c9f-7df4-4df8-950b-6dcaaa3ad9af","atomic_attack_name":"Command prompt writing script to file then executes it","platform":"Windows","sigma_rules":[{"rule_name":"Whoami.EXE Execution With Output Option","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml"}],"splunk_rules":[]},{"tech_id":"T1059.005","atomic_attack_guid":"1620de42-160a-4fe5-bbaf-d3fef0181ce9","atomic_attack_name":"Visual Basic script execution to gather local computer information","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Registry Tampering by Potentially Suspicious Processes","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml"}],"splunk_rules":[]},{"tech_id":"T1059.007","atomic_attack_guid":"01d75adf-ca1b-4dd1-ac96-7c9550ad1035","atomic_attack_name":"JScript execution to gather local computer information via cscript","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1059.007","atomic_attack_guid":"0709945e-4fec-4c49-9faf-c3c292a74484","atomic_attack_name":"JScript execution to gather local computer information via wscript","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1069.002","atomic_attack_guid":"9f4e344b-8434-41b3-85b1-d38f29d148d0","atomic_attack_name":"Enumerate Active Directory Groups with ADSISearcher","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1070","atomic_attack_guid":"b4115c7a-0e92-47f0-a61e-17e7218b2435","atomic_attack_name":"Indicator Removal using FSUtil","platform":"Windows","sigma_rules":[{"rule_name":"Fsutil Suspicious Invocation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"}],"splunk_rules":[]},{"tech_id":"T1070.001","atomic_attack_guid":"e6abb60e-26b8-41da-8aae-0c35174b0967","atomic_attack_name":"Clear Logs","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Eventlog Clearing or Configuration Change Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","atomic_attack_guid":"861ea0b4-708a-4d17-848d-186c9c7f17e3","atomic_attack_name":"Delete a single file - Windows cmd","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","atomic_attack_guid":"36f96049-0ad7-4a5f-8418-460acaeb92fb","atomic_attack_name":"Delete Prefetch File","platform":"Windows","sigma_rules":[{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"},{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.005","atomic_attack_guid":"14c38f32-6509-46d8-ab43-d53e32d2b131","atomic_attack_name":"Add Network Share","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1070.005","atomic_attack_guid":"09210ad5-1ef2-4077-9ad3-7351e13e9222","atomic_attack_name":"Remove Network Share","platform":"Windows","sigma_rules":[{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"},{"rule_name":"Unmount Share Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml"},{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1071.001","atomic_attack_guid":"dc3488b0-08c7-4fea-b585-905c83b48180","atomic_attack_name":"Malicious User Agents - CMD","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"}],"splunk_rules":[]},{"tech_id":"T1074.001","atomic_attack_guid":"107706a5-6f9f-451a-adae-bab8c667829f","atomic_attack_name":"Stage data from Discovery.bat","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1074.001","atomic_attack_guid":"a57fbe4b-3440-452a-88a7-943531ac872a","atomic_attack_name":"Zip a Folder with PowerShell for Staging in Temp","platform":"Windows","sigma_rules":[{"rule_name":"Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml"},{"rule_name":"Zip A Folder With PowerShell For Staging In Temp - PowerShell Script","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml"}],"splunk_rules":[]},{"tech_id":"T1078.001","atomic_attack_guid":"99747561-ed8d-47f2-9c91-1e5fde1ed6e0","atomic_attack_name":"Enable Guest account with RDP capability and admin privileges","platform":"Windows","sigma_rules":[{"rule_name":"User Added to Local Administrators Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml"},{"rule_name":"User Added to Remote Desktop Users Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml"},{"rule_name":"Weak or Abused Passwords In CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"}],"splunk_rules":[]},{"tech_id":"T1078.003","atomic_attack_guid":"a524ce99-86de-4db6-b4f9-e08f35a47a15","atomic_attack_name":"Create local account with admin privileges","platform":"Windows","sigma_rules":[{"rule_name":"User Added to Local Administrators Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"66703791-c902-4560-8770-42b8a91f7667","atomic_attack_name":"System Information Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Potential Configuration And Service Reconnaissance Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml"},{"rule_name":"Suspicious Execution of Systeminfo","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"224b4daf-db44-404e-b6b2-f4d1f0126ef8","atomic_attack_name":"Windows MachineGUID Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Query of MachineGUID","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"69bd4abe-8759-49a6-8d21-0f15822d6370","atomic_attack_name":"Griffon Recon","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"}],"splunk_rules":[]},{"tech_id":"T1082","atomic_attack_guid":"4060ee98-01ae-4c8e-8aad-af8300519cc7","atomic_attack_name":"System Information Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml"},{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Potential Reconnaissance Activity Via GatherNetworkInfo.VBS","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml"},{"rule_name":"Suspicious Execution of Systeminfo","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1083","atomic_attack_guid":"0e36303b-6762-4500-b003-127743b80ba6","atomic_attack_name":"File and Directory Discovery (cmd.exe)","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"95018438-454a-468c-a0fa-59c800149b59","atomic_attack_name":"Automated AD Recon (ADRecon)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"736b4f53-f400-4c22-855d-1a6b5a551600","atomic_attack_name":"Adfind -Listing password policy","platform":"Windows","sigma_rules":[{"rule_name":"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"b95fd967-4e62-4109-b48d-265edfd28c3a","atomic_attack_name":"Adfind - Enumerate Active Directory Admins","platform":"Windows","sigma_rules":[{"rule_name":"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"5e2938fb-f919-47b6-8b29-2f6a1f718e99","atomic_attack_name":"Adfind - Enumerate Active Directory Exchange AD Objects","platform":"Windows","sigma_rules":[{"rule_name":"PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"02e8be5a-3065-4e54-8cc8-a14d138834d3","atomic_attack_name":"Enumerate Active Directory Users with ADSISearcher","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","atomic_attack_guid":"7ab0205a-34e4-4a44-9b04-e1541d1a57be","atomic_attack_name":"Enumerate Linked Policies In ADSISearcher Discovery","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1090.001","atomic_attack_guid":"b8223ea9-4be2-44a6-b50a-9657a3d4e72a","atomic_attack_name":"portproxy reg key","platform":"Windows","sigma_rules":[{"rule_name":"New Port Forwarding Rule Added Via Netsh.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"2ca61766-b456-4fcf-a35a-1233685e1cad","atomic_attack_name":"OSTAP Worming Activity","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"fa5a2759-41d7-4e13-a19c-e8f28a53566f","atomic_attack_name":"svchost writing a file to a UNC path","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Copy From Or To Admin Share Or Sysvol Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"815bef8b-bf91-4b67-be4c-abe4c2a94ccc","atomic_attack_name":"Download a File with Windows Defender MpCmdRun.exe","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"File Download Via Windows Defender MpCmpRun.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"5f507e45-8411-4f99-84e7-e38530c45d01","atomic_attack_name":"File download with finger.exe on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Finger.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"1a02df58-09af-4064-a765-0babe1a0d1e2","atomic_attack_name":"Download a file with IMEWDBLD.exe","platform":"Windows","sigma_rules":[{"rule_name":"Arbitrary File Download Via IMEWDBLD.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"49845fc1-7961-4590-a0f0-3dbcf065ae7e","atomic_attack_name":"Printer Migration Command-Line Tool UNC share folder into a zip file","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"PrintBrm ZIP Creation of Extraction","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"54782d65-12f0-47a5-b4c1-b70ee23de6df","atomic_attack_name":"Lolbas replace.exe use to copy file","platform":"Windows","sigma_rules":[{"rule_name":"Replace.exe Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"ed0335ac-0354-400c-8148-f6151d20035a","atomic_attack_name":"Lolbas replace.exe use to copy UNC file","platform":"Windows","sigma_rules":[{"rule_name":"Replace.exe Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"6fdaae87-c05b-42f8-842e-991a74e8376b","atomic_attack_name":"certreq download","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Certreq Command to Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"Suspicious CertReq Command to Download","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certreq_download.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"97116a3f-efac-4b26-8336-b9cb18c45188","atomic_attack_name":"Download a file using wscript","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","atomic_attack_guid":"c01cad7f-7a4c-49df-985e-b190dcf6a279","atomic_attack_name":"iwr or Invoke Web-Request download","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1110.001","atomic_attack_guid":"59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4","atomic_attack_name":"Password Brute User using Kerbrute Tool","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"282f929a-6bc5-42b8-bd93-960c3ba35afe","atomic_attack_name":"Modify Registry of Local Machine - cmd","platform":"Windows","sigma_rules":[{"rule_name":"Direct Autorun Keys Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml"},{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c0413fb5-33e2-40b7-9b6f-60b29f4a7a18","atomic_attack_name":"Modify registry to store logon credentials","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"95b25212-91a7-42ff-9613-124aca6845a8","atomic_attack_name":"Windows Powershell Logging Disabled","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5","atomic_attack_name":"Windows Add Registry Value to Load Service in Safe Mode without Network","platform":"Windows","sigma_rules":[{"rule_name":"Add SafeBoot Keys Via Reg Utility","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c173c948-65e5-499c-afbe-433722ed5bd4","atomic_attack_name":"Windows Add Registry Value to Load Service in Safe Mode with Network","platform":"Windows","sigma_rules":[{"rule_name":"Add SafeBoot Keys Via Reg Utility","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c30dada3-7777-4590-b970-dc890b8cf113","atomic_attack_name":"Suppress Win Defender Notifications","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"65704cd4-6e36-4b90-b6c1-dc29a82c8e56","atomic_attack_name":"NetWire RAT Registry Key Creation","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c375558d-7c25-45e9-bd64-7b23a97c1db0","atomic_attack_name":"Ursnif Malware Registry Key Creation","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"d2c9e41e-cd86-473d-980d-b6403562e3e1","atomic_attack_name":"Disable Windows Error Reporting Settings","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"35727d9e-7a7f-4d0c-a259-dc3906d6e8b9","atomic_attack_name":"Mimic Ransomware - Allow Multiple RDP Sessions per User","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"e3ad8e83-3089-49ff-817f-e52f8c948090","atomic_attack_name":"Enabling Remote Desktop Protocol via Remote Registry","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"3b625eaa-c10d-4635-af96-3eae7d2a2f3c","atomic_attack_name":"Tamper Win Defender Protection","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c88ef166-50fa-40d5-a80c-e2b87d4180f7","atomic_attack_name":"Modify Internet Zone Protocol Defaults in Current User Registry - cmd","platform":"Windows","sigma_rules":[{"rule_name":"IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"ffeddced-bb9f-49c6-97f0-3d07a509bf94","atomic_attack_name":"Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.","platform":"Windows","sigma_rules":[{"rule_name":"Reg Add Suspicious Paths","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"},{"rule_name":"Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"16bdbe52-371c-4ccf-b708-79fba61f1db4","atomic_attack_name":"Enable RDP via Registry (fDenyTSConnections)","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"5f8e36de-37ca-455e-b054-a2584f043c06","atomic_attack_name":"Disable Windows Remote Desktop Protocol","platform":"Windows","sigma_rules":[{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"26fc7375-a551-4336-90d7-3f2817564304","atomic_attack_name":"Requires the BitLocker PIN for Pre-boot authentication","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"bacb3e73-8161-43a9-8204-a69fe0e4b482","atomic_attack_name":"Modify EnableBDEWithNoTPM Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"10b33fb0-c58b-44cd-8599-b6da5ad6384c","atomic_attack_name":"Modify UseTPMPIN Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"c8480c83-a932-446e-a919-06a1fd1e512a","atomic_attack_name":"Modify UseTPMKey Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1112","atomic_attack_guid":"02d8b9f7-1a51-4011-8901-2d55cca667f9","atomic_attack_name":"Modify UseTPMKeyPIN Registry entry","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add BitLocker","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml"}],"splunk_rules":[]},{"tech_id":"T1113","atomic_attack_guid":"5a496325-0115-4274-8eb9-755b649ad0fb","atomic_attack_name":"Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Windows Recall Feature Enabled Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml"}],"splunk_rules":[]},{"tech_id":"T1115","atomic_attack_guid":"0cd14633-58d4-4422-9ede-daa2c9474ae7","atomic_attack_name":"Utilize Clipboard to store or execute commands from","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"PowerShell Get Clipboard","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml"},{"rule_name":"Data Copied To Clipboard Via Clip.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1119","atomic_attack_guid":"cb379146-53f1-43e0-b884-7ce2c635ff5b","atomic_attack_name":"Automated Collection Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Automated Collection Command Prompt","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1119","atomic_attack_guid":"aa1180e2-f329-4e1e-8625-2472ec0bfaf3","atomic_attack_name":"Recon information for export with Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1120","atomic_attack_guid":"424e18fd-48b8-4201-8d3a-bf591523a686","atomic_attack_name":"Peripheral Device Discovery via fsutil","platform":"Windows","sigma_rules":[{"rule_name":"Fsutil Drive Enumeration","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml"}],"splunk_rules":[]},{"tech_id":"T1123","atomic_attack_guid":"9c3ad250-b185-4444-b5a9-d69218a10c95","atomic_attack_name":"using device audio capture commandlet","platform":"Windows","sigma_rules":[{"rule_name":"Audio Capture via PowerShell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml"}],"splunk_rules":[]},{"tech_id":"T1124","atomic_attack_guid":"20aba24b-e61f-4b26-b4ce-4784f763ca20","atomic_attack_name":"System Time Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"},{"rule_name":"Discovery of a System Time","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1127","atomic_attack_guid":"1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8","atomic_attack_name":"Lolbin Jsc.exe compile javascript to exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"JScript Compiler Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1127","atomic_attack_guid":"3fc9fea2-871d-414d-8ef6-02e85e322b80","atomic_attack_name":"Lolbin Jsc.exe compile javascript to dll","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"JScript Compiler Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1134.004","atomic_attack_guid":"cbbff285-9051-444a-9d17-c07cd2d230eb","atomic_attack_name":"Parent PID Spoofing - Spawn from Specified Process","platform":"Windows","sigma_rules":[{"rule_name":"Weak or Abused Passwords In CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"}],"splunk_rules":[]},{"tech_id":"T1135","atomic_attack_guid":"20f1097d-81c1-405c-8380-32174d493bbb","atomic_attack_name":"Network Share Discovery command prompt","platform":"Windows","sigma_rules":[{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"}],"splunk_rules":[]},{"tech_id":"T1135","atomic_attack_guid":"ab39a04f-0c93-4540-9ff2-83f862c385ae","atomic_attack_name":"View available share drives","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1135","atomic_attack_guid":"d07e4cc1-98ae-447e-9d31-36cb430d28c4","atomic_attack_name":"PowerView ShareFinder","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Import New Module Via PowerShell CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"}],"splunk_rules":[]},{"tech_id":"T1137","atomic_attack_guid":"bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c","atomic_attack_name":"Office Application Startup - Outlook as a C2","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1140","atomic_attack_guid":"dc6fe391-69e6-4506-bd06-ea5eeb4082f8","atomic_attack_name":"Deobfuscate/Decode Files Or Information","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1140","atomic_attack_guid":"71abc534-3c05-4d0c-80f7-cbe93cb2aa94","atomic_attack_name":"Certutil Rename and Decode","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1187","atomic_attack_guid":"485ce873-2e65-4706-9c7e-ae3ab9e14213","atomic_attack_name":"PetitPotam","platform":"Windows","sigma_rules":[{"rule_name":"Potential SMB Relay Attack Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml"}],"splunk_rules":[]},{"tech_id":"T1187","atomic_attack_guid":"81cfdd7f-1f41-4cc5-9845-bb5149438e37","atomic_attack_name":"Trigger an authenticated RPC call to a target server with no Sign flag set","platform":"Windows","sigma_rules":[{"rule_name":"Capture Credentials with Rpcping.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"},{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"}],"splunk_rules":[]},{"tech_id":"T1201","atomic_attack_guid":"4588d243-f24e-4549-b2e3-e627acc089f6","atomic_attack_name":"Examine local password policy - Windows","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1201","atomic_attack_guid":"510cc97f-56ac-4cd3-a198-d3218c23d889","atomic_attack_name":"Use of SecEdit.exe to export the local security policy (including the password policy)","platform":"Windows","sigma_rules":[{"rule_name":"Potential Suspicious Activity Using SeCEdit","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1202","atomic_attack_guid":"cecfea7a-5f03-4cdd-8bc8-6f7c22862440","atomic_attack_name":"Indirect Command Execution - pcalua.exe","platform":"Windows","sigma_rules":[{"rule_name":"Use of Pcalua For Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml"}],"splunk_rules":[]},{"tech_id":"T1202","atomic_attack_guid":"8b34a448-40d9-4fc3-a8c8-4bb286faf7dc","atomic_attack_name":"Indirect Command Execution - forfiles.exe","platform":"Windows","sigma_rules":[{"rule_name":"Forfiles Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml"}],"splunk_rules":[]},{"tech_id":"T1202","atomic_attack_guid":"0fd14730-6226-4f5e-8d67-43c65f1be940","atomic_attack_name":"Indirect Command Execution - Scriptrunner.exe","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Use of Scriptrunner.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml"}],"splunk_rules":[]},{"tech_id":"T1204.002","atomic_attack_guid":"3f3af983-118a-4fa1-85d3-ba4daa739d80","atomic_attack_name":"OSTap Payload Download","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1204.002","atomic_attack_guid":"02f35d62-9fdc-4a97-b899-a5d9a876d295","atomic_attack_name":"Potentially Unwanted Applications (PUA)","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1204.002","atomic_attack_guid":"581d7521-9c4b-420e-9695-2aec5241167f","atomic_attack_name":"LNK Payload Download","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[]},{"tech_id":"T1216","atomic_attack_guid":"2a8f2d3c-3dec-4262-99dd-150cb2a4d63a","atomic_attack_name":"manage-bde.wsf Signed Script Command Execution","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1216.001","atomic_attack_guid":"9dd29a1f-1e16-4862-be83-913b10a88f6c","atomic_attack_name":"PubPrn.vbs Signed Script Bypass","platform":"Windows","sigma_rules":[{"rule_name":"Pubprn.vbs Proxy Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml"},{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"}],"splunk_rules":[]},{"tech_id":"T1217","atomic_attack_guid":"76f71e2f-480e-4bed-b61e-398fe17499d5","atomic_attack_name":"List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Where Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml"}],"splunk_rules":[]},{"tech_id":"T1217","atomic_attack_guid":"4312cdbc-79fc-4a9c-becc-53d49c734bc5","atomic_attack_name":"List Mozilla Firefox bookmarks on Windows with command prompt","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Where Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml"}],"splunk_rules":[]},{"tech_id":"T1217","atomic_attack_guid":"727dbcdb-e495-4ab1-a6c4-80c7f77aef85","atomic_attack_name":"List Internet Explorer Bookmarks using the command prompt","platform":"Windows","sigma_rules":[{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"ad2c17ed-f626-4061-b21e-b9804a6f3655","atomic_attack_name":"Register-CimProvider - Execute evil dll","platform":"Windows","sigma_rules":[{"rule_name":"DLL Execution Via Register-cimprovider.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"54ad7d5a-a1b5-472c-b6c4-f8090fb2daef","atomic_attack_name":"InfDefaultInstall.exe .inf Execution","platform":"Windows","sigma_rules":[{"rule_name":"InfDefaultInstall.exe .inf Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"7cbb0f26-a4c1-4f77-b180-a009aa05637e","atomic_attack_name":"Microsoft.Workflow.Compiler.exe Payload Execution","platform":"Windows","sigma_rules":[{"rule_name":"Microsoft Workflow Compiler Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"9ebe7901-7edf-45c0-b5c7-8366300919db","atomic_attack_name":"Invoke-ATHRemoteFXvGPUDisablementCommand base test","platform":"Windows","sigma_rules":[{"rule_name":"RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"49fbd548-49e9-4bb7-94a6-3769613912b8","atomic_attack_name":"Load Arbitrary DLL via Wuauclt (Windows Update Client)","platform":"Windows","sigma_rules":[{"rule_name":"Proxy Execution Via Wuauclt.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"5bcda9cd-8e85-48fa-861d-b5a85d91d48c","atomic_attack_name":"Lolbin Gpscript logon option","platform":"Windows","sigma_rules":[{"rule_name":"Gpscript Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"f8da74bb-21b8-4af9-8d84-f2c8e4a220e3","atomic_attack_name":"Lolbin Gpscript startup option","platform":"Windows","sigma_rules":[{"rule_name":"Gpscript Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"13c0804e-615e-43ad-b223-2dfbacd0b0b3","atomic_attack_name":"Lolbas ie4uinit.exe use as proxy","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"},{"rule_name":"Ie4uinit Lolbin Use From Invalid Path","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"ab76e34f-28bf-441f-a39c-8db4835b89cc","atomic_attack_name":"Provlaunch.exe Executes Arbitrary Command via Registry Key","platform":"Windows","sigma_rules":[{"rule_name":"Potential Provisioning Registry Key Abuse For Binary Proxy Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","atomic_attack_guid":"7816c252-b728-4ea6-a683-bd9441ca0b71","atomic_attack_name":"System Binary Proxy Execution - Wlrmdr Lolbin","platform":"Windows","sigma_rules":[{"rule_name":"Wlrmdr.EXE Uncommon Argument Or Child Process","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218.003","atomic_attack_guid":"34e63321-9683-496b-bbc1-7566bc55e624","atomic_attack_name":"CMSTP Executing Remote Scriptlet","platform":"Windows","sigma_rules":[{"rule_name":"Bypass UAC via CMSTP","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"}],"splunk_rules":[]},{"tech_id":"T1218.003","atomic_attack_guid":"748cb4f6-2fb3-4e97-b7ad-b22635a09ab0","atomic_attack_name":"CMSTP Executing UAC Bypass","platform":"Windows","sigma_rules":[{"rule_name":"Bypass UAC via CMSTP","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"},{"rule_name":"CMSTP Execution Registry Event","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml"}],"splunk_rules":[]},{"tech_id":"T1218.005","atomic_attack_guid":"1483fab9-4f52-4217-a9ce-daa9d7747cae","atomic_attack_name":"Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject","platform":"Windows","sigma_rules":[{"rule_name":"Remotely Hosted HTA File Executed Via Mshta.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml"},{"rule_name":"Suspicious JavaScript Execution Via Mshta.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml"}],"splunk_rules":[]},{"tech_id":"T1218.005","atomic_attack_guid":"906865c3-e05f-4acc-85c4-fbc185455095","atomic_attack_name":"Mshta executes VBScript to execute malicious command","platform":"Windows","sigma_rules":[{"rule_name":"MSHTA Suspicious Execution 01","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"},{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"MSHTA Execution with Suspicious File Extensions","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218.005","atomic_attack_guid":"8707a805-2b76-4f32-b1c0-14e558205772","atomic_attack_name":"Mshta used to Execute PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Read Contents From Stdin Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"},{"rule_name":"MSHTA Suspicious Execution 01","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"},{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"MSHTA Execution with Suspicious File Extensions","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with embedded JScript","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"8d73c7b0-c2b1-4ac1-881a-4aa644f76064","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with embedded VBScript","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"628fa796-76c5-44c3-93aa-b9d8214fd568","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with an embedded DLL","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","atomic_attack_guid":"ed3fa08a-ca18-4009-973e-03d13014d0e8","atomic_attack_name":"Msiexec.exe - Execute Local MSI file with an embedded EXE","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"}],"splunk_rules":[]},{"tech_id":"T1218.010","atomic_attack_guid":"9d71c492-ea2e-4c08-af16-c6994cdf029f","atomic_attack_name":"Regsvr32 Silent DLL Install Call DllRegisterServer","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Regsvr32 Execution From Highly Suspicious Location","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"57ba4ce9-ee7a-4f27-9928-3c70c489b59d","atomic_attack_name":"Rundll32 execute JavaScript Remote Payload With GetObject","platform":"Windows","sigma_rules":[{"rule_name":"Mshtml.DLL RunHTMLApplication Suspicious Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[{"rule_name":"Rundll32 DNSQuery","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/network/rundll32_dnsquery.yml"}]},{"tech_id":"T1218.011","atomic_attack_guid":"638730e7-7aed-43dc-bf8c-8117f805f5bb","atomic_attack_name":"Rundll32 execute VBscript command","platform":"Windows","sigma_rules":[{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"Mshtml.DLL RunHTMLApplication Suspicious Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"22cfde89-befe-4e15-9753-47306b37a6e3","atomic_attack_name":"Execution of HTA and VBS Files using Rundll32 and URL.dll","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"9f5d081a-ee5a-42f9-a04e-b7bdc487e676","atomic_attack_name":"Launches an executable using Rundll32 and pcwutl.dll","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"rule_name":"Code Execution via Pcwutl.dll","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"83a95136-a496-423c-81d3-1c6750133917","atomic_attack_name":"Rundll32 with desk.cpl","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Rundll32 InstallScreenSaver Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"},{"rule_name":"SCR File Write Event","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"2d5029f0-ae20-446f-8811-e7511b58e8b6","atomic_attack_name":"Running DLL with .init extension and function","platform":"Windows","sigma_rules":[{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8","atomic_attack_name":"Rundll32 execute command via FileProtocolHandler","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[]},{"tech_id":"T1218.011","atomic_attack_guid":"8a7f56ee-10e7-444c-a139-0109438288eb","atomic_attack_name":"Rundll32 execute payload by calling RouteTheCall","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"}],"splunk_rules":[]},{"tech_id":"T1220","atomic_attack_guid":"1b237334-3e21-4a0c-8178-b8c996124988","atomic_attack_name":"WMIC bypass using local XSL file","platform":"Windows","sigma_rules":[{"rule_name":"XSL Script Execution Via WMIC.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml"},{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"}],"splunk_rules":[]},{"tech_id":"T1220","atomic_attack_guid":"7f5be499-33be-4129-a560-66021f379b9b","atomic_attack_name":"WMIC bypass using remote XSL file","platform":"Windows","sigma_rules":[{"rule_name":"XSL Script Execution Via WMIC.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml"},{"rule_name":"Process Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"},{"rule_name":"Potential Remote SquiblyTwo Technique Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"}],"splunk_rules":[]},{"tech_id":"T1222","atomic_attack_guid":"6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02","atomic_attack_name":"Enable Local and Remote Symbolic Links via fsutil","platform":"Windows","sigma_rules":[{"rule_name":"Fsutil Behavior Set SymlinkEvaluation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"98d34bb4-6e75-42ad-9c41-1dae7dc6a001","atomic_attack_name":"Take ownership using takeown utility","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Recursive Takeown","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml"},{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"a8206bcc-f282-40a9-a389-05d9c0263485","atomic_attack_name":"cacls - Grant permission to specified user or group recursively","platform":"Windows","sigma_rules":[{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"bec1e95c-83aa-492e-ab77-60c71bbd21b0","atomic_attack_name":"attrib - Remove read-only attribute","platform":"Windows","sigma_rules":[{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"32b979da-7b68-42c9-9a99-0e39900fc36c","atomic_attack_name":"attrib - hide file","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1222.001","atomic_attack_guid":"ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6","atomic_attack_name":"Grant Full Access to folder for Everyone - Ryuk Ransomware Style","platform":"Windows","sigma_rules":[{"rule_name":"File or Folder Permissions Modifications","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"}],"splunk_rules":[]},{"tech_id":"T1482","atomic_attack_guid":"2e22641d-0498-48d2-b9ff-c71e496ccdbe","atomic_attack_name":"Windows - Discover domain trusts with nltest","platform":"Windows","sigma_rules":[{"rule_name":"Potential Recon Activity Via Nltest.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"},{"rule_name":"Nltest.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1482","atomic_attack_guid":"15fe436d-e771-4ff3-b655-2dca9ba52834","atomic_attack_name":"Adfind - Enumerate Active Directory Trusts","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[]},{"tech_id":"T1485","atomic_attack_guid":"321fd25e-0007-417f-adec-33232252be19","atomic_attack_name":"Overwrite deleted data on C drive","platform":"Windows","sigma_rules":[{"rule_name":"Deleted Data Overwritten Via Cipher.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml"}],"splunk_rules":[]},{"tech_id":"T1486","atomic_attack_guid":"649349c7-9abf-493b-a7a2-b1aa4d141528","atomic_attack_name":"PureLocker Ransom Note","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1489","atomic_attack_guid":"21dfb440-830d-4c86-a3e5-2a491d5a8d04","atomic_attack_name":"Windows - Stop service using Service Controller","platform":"Windows","sigma_rules":[{"rule_name":"Stop Windows Service Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml"}],"splunk_rules":[]},{"tech_id":"T1489","atomic_attack_guid":"41274289-ec9c-4213-bea4-e43c4aa57954","atomic_attack_name":"Windows - Stop service using net.exe","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Stop Windows Service Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml"}],"splunk_rules":[]},{"tech_id":"T1489","atomic_attack_guid":"f3191b84-c38b-400b-867e-3a217a27795f","atomic_attack_name":"Windows - Stop service by killing process","platform":"Windows","sigma_rules":[{"rule_name":"Process Terminated Via Taskkill","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"43819286-91a9-4369-90ed-d31fb4da2c01","atomic_attack_name":"Windows - Delete Volume Shadow Copies","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"6a3ff8dd-f49c-4272-a658-11c2fe58bd88","atomic_attack_name":"Windows - Delete Volume Shadow Copies via WMI","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"cf21060a-80b3-4238-a595-22525de4ab81","atomic_attack_name":"Windows - Disable Windows Recovery Console Repair","platform":"Windows","sigma_rules":[{"rule_name":"Boot Configuration Tampering Via Bcdedit.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"39a295ca-7059-4a88-86f6-09556c1211e7","atomic_attack_name":"Windows - Delete Volume Shadow Copies via WMI with PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"},{"rule_name":"Deletion of Volume Shadow Copies via WMI with PowerShell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml"},{"rule_name":"Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml"}],"splunk_rules":[{"rule_name":"Delete ShadowCopy With PowerShell","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/delete_shadowcopy_with_powershell.yml"}]},{"tech_id":"T1490","atomic_attack_guid":"6b1dbaf6-cc8a-4ea6-891f-6058569653bf","atomic_attack_name":"Windows - Delete Backup Files","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"1c68c68d-83a4-4981-974e-8993055fa034","atomic_attack_name":"Windows - Disable the SR scheduled task","platform":"Windows","sigma_rules":[{"rule_name":"Disable Important Scheduled Task","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"da558b07-69ae-41b9-b9d4-4d98154a7049","atomic_attack_name":"Windows - vssadmin Resize Shadowstorage Volume","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1490","atomic_attack_guid":"a4420f93-5386-4290-b780-f4f66abc7070","atomic_attack_name":"Modify VSS Service Permissions","platform":"Windows","sigma_rules":[{"rule_name":"Allow Service Access Using Security Descriptor Tampering Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml"},{"rule_name":"Service Security Descriptor Tampering Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml"},{"rule_name":"Deny Service Access Using Security Descriptor Tampering Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml"}],"splunk_rules":[]},{"tech_id":"T1505.002","atomic_attack_guid":"43e92449-ff60-46e9-83a3-1a38089df94d","atomic_attack_name":"Install MS Exchange Transport Agent Persistence","platform":"Windows","sigma_rules":[{"rule_name":"MSExchange Transport Agent Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml"}],"splunk_rules":[]},{"tech_id":"T1505.003","atomic_attack_guid":"0a2ce662-1efa-496f-a472-2fe7b080db16","atomic_attack_name":"Web Shell Written to Disk","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1518","atomic_attack_guid":"68981660-6670-47ee-a5fa-7e74806420a4","atomic_attack_name":"Find and Display Internet Explorer Browser Version","platform":"Windows","sigma_rules":[{"rule_name":"Detected Windows Software Discovery","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1518.001","atomic_attack_guid":"f92a380f-ced9-491f-b338-95a991418ce2","atomic_attack_name":"Security Software Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Recon Command Output Piped To Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"},{"rule_name":"Suspicious Tasklist Discovery Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1518.001","atomic_attack_guid":"fe613cf3-8009-4446-9a0f-bc78a15b66c9","atomic_attack_name":"Security Software Discovery - Sysmon Service","platform":"Windows","sigma_rules":[{"rule_name":"Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml"}],"splunk_rules":[]},{"tech_id":"T1518.001","atomic_attack_guid":"1553252f-14ea-4d3b-8a08-d7a4211aa945","atomic_attack_name":"Security Software Discovery - AV Discovery via WMI","platform":"Windows","sigma_rules":[{"rule_name":"Potential Product Class Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml"},{"rule_name":"Potential Product Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"ed366cde-7d12-49df-a833-671904770b9f","atomic_attack_name":"Modify Fax service to run PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Existing Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml"},{"rule_name":"Suspicious Service Path Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"981e2942-e433-44e9-afc1-8c957a1496b6","atomic_attack_name":"Service Installation CMD","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"491a4af6-a521-4b74-b23b-f7b3f1ee9e77","atomic_attack_name":"Service Installation PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using PowerShell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[]},{"tech_id":"T1543.003","atomic_attack_guid":"ef0581fd-528e-4662-87bc-4c2affb86940","atomic_attack_name":"TinyTurla backdoor service w64time","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Existing Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546","atomic_attack_guid":"547a4736-dd1c-4b48-b4fe-e916190bb2e7","atomic_attack_name":"Persistence via ErrorHandler.cmd script execution","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546.001","atomic_attack_guid":"10a08978-2045-4d62-8c42-1957bbbea102","atomic_attack_name":"Change Default File Association","platform":"Windows","sigma_rules":[{"rule_name":"Change Default File Association Via Assoc","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1546.002","atomic_attack_guid":"281201e7-de41-4dc9-b73d-f288938cbb64","atomic_attack_name":"Set Arbitrary Binary as Screensaver","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546.007","atomic_attack_guid":"3244697d-5a3a-4dfc-941c-550f69f91a4d","atomic_attack_name":"Netsh Helper DLL Registration","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Via Netsh Helper DLL","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml"}],"splunk_rules":[]},{"tech_id":"T1546.008","atomic_attack_guid":"934e90cf-29ca-48b3-863c-411737ad44e3","atomic_attack_name":"Replace binary of sticky keys","platform":"Windows","sigma_rules":[{"rule_name":"Persistence Via Sticky Key Backdoor","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1546.008","atomic_attack_guid":"51ef369c-5e87-4f33-88cd-6d61be63edf2","atomic_attack_name":"Create Symbolic Link From osk.exe to cmd.exe","platform":"Windows","sigma_rules":[{"rule_name":"File Deletion Via Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"},{"rule_name":"Greedy File Deletion Using Del","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Privilege Escalation Using Symlink Between Osk and Cmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml"}],"splunk_rules":[]},{"tech_id":"T1546.011","atomic_attack_guid":"9ab27e22-ee62-4211-962b-d36d9a0e6a18","atomic_attack_name":"Application Shim Installation","platform":"Windows","sigma_rules":[{"rule_name":"Potential Shim Database Persistence via Sdbinst.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml"}],"splunk_rules":[]},{"tech_id":"T1546.011","atomic_attack_guid":"aefd6866-d753-431f-a7a4-215ca7e3f13d","atomic_attack_name":"New shim database files created in the default shim database directory","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1547","atomic_attack_guid":"cb01b3da-b0e7-4e24-bf6d-de5223526785","atomic_attack_name":"Add a driver","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Driver Install by pnputil.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"}],"splunk_rules":[]},{"tech_id":"T1547","atomic_attack_guid":"5cb0b071-8a5a-412f-839d-116beb2ed9f7","atomic_attack_name":"Driver Installation Using pnputil.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Driver Install by pnputil.exe","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"}],"splunk_rules":[]},{"tech_id":"T1547.001","atomic_attack_guid":"e55be3fd-3521-4610-9d1a-e210e42dcf05","atomic_attack_name":"Reg Key Run","platform":"Windows","sigma_rules":[{"rule_name":"Direct Autorun Keys Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml"},{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1547.001","atomic_attack_guid":"554cbd88-cde1-4b56-8168-0be552eed9eb","atomic_attack_name":"Reg Key RunOnce","platform":"Windows","sigma_rules":[{"rule_name":"Direct Autorun Keys Modification","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml"},{"rule_name":"Potential Persistence Attempt Via Run Keys Using Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"}],"splunk_rules":[]},{"tech_id":"T1547.001","atomic_attack_guid":"6e1666d5-3f2b-4b9a-80aa-f011322380d4","atomic_attack_name":"Creating Boot Verification Program Key for application execution during successful boot","platform":"Windows","sigma_rules":[{"rule_name":"Potential Persistence Attempt Via Existing Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml"}],"splunk_rules":[]},{"tech_id":"T1547.009","atomic_attack_guid":"ce4fc678-364f-4282-af16-2fb4c78005ce","atomic_attack_name":"Shortcut Modification","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Calculator Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"}],"splunk_rules":[]},{"tech_id":"T1548.002","atomic_attack_guid":"58f641ea-12e3-499a-b684-44dee46bd182","atomic_attack_name":"Bypass UAC using Fodhelper","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Reg Add Open Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml"}],"splunk_rules":[]},{"tech_id":"T1552.002","atomic_attack_guid":"b6ec082c-7384-46b3-a111-9a9b8b14e5e7","atomic_attack_name":"Enumeration for Credentials in Registry","platform":"Windows","sigma_rules":[{"rule_name":"Enumeration for Credentials in Registry","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml"}],"splunk_rules":[]},{"tech_id":"T1552.002","atomic_attack_guid":"af197fd7-e868-448e-9bd5-05d1bcd9d9e5","atomic_attack_name":"Enumeration for PuTTY Credentials in Registry","platform":"Windows","sigma_rules":[{"rule_name":"Enumeration for Credentials in Registry","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml"},{"rule_name":"Enumeration for 3rd Party Creds From CLI","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"}],"splunk_rules":[]},{"tech_id":"T1552.004","atomic_attack_guid":"336b25bf-4514-4684-8924-474974f28137","atomic_attack_name":"CertUtil ExportPFX","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1552.004","atomic_attack_guid":"290df60e-4b5d-4a5e-b0c7-dc5348ea0c86","atomic_attack_name":"Export Certificates with Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"}],"splunk_rules":[]},{"tech_id":"T1552.006","atomic_attack_guid":"e9584f82-322c-474a-b831-940fd8b4455c","atomic_attack_name":"GPP Passwords (Get-GPPPassword)","platform":"Windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[]},{"tech_id":"T1553.003","atomic_attack_guid":"e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675","atomic_attack_name":"SIP (Subject Interface Package) Hijacking via Custom DLL","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Regsvr32 Execution From Highly Suspicious Location","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml"}],"splunk_rules":[]},{"tech_id":"T1553.004","atomic_attack_guid":"ca20a3f1-42b5-4e21-ad3f-1049199ec2e0","atomic_attack_name":"Add Root Certificate to CurrentUser Certificate Store","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"c89becbe-1758-4e7d-a0f4-97d2188a23e3","atomic_attack_name":"Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"8fd5a296-6772-4766-9991-ff4e92af7240","atomic_attack_name":"Dump credentials from Windows Credential Manager With PowerShell [web Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"36753ded-e5c4-4eb5-bc3c-e8fba236878d","atomic_attack_name":"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"Windows Credential Manager Access via VaultCmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml"}],"splunk_rules":[]},{"tech_id":"T1555","atomic_attack_guid":"bc071188-459f-44d5-901a-f8f2625b2d2e","atomic_attack_name":"Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]","platform":"Windows","sigma_rules":[{"rule_name":"Windows Credential Manager Access via VaultCmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"8c05b133-d438-47ca-a630-19cc464c4622","atomic_attack_name":"Run Chrome-password Collector","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"9a2915b3-3954-4cce-8c76-00fbf4dbd014","atomic_attack_name":"LaZagne - Credentials from Browser","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - LaZagne Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"3d111226-d09a-4911-8715-fe11664f960d","atomic_attack_name":"Simulating access to Chrome Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"28498c17-57e4-495a-b0be-cc1e36de408b","atomic_attack_name":"Simulating access to Opera Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"eb8da98a-2e16-4551-b3dd-83de49baa14c","atomic_attack_name":"Simulating access to Windows Firefox Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"a6a5ec26-a2d1-4109-9d35-58b867689329","atomic_attack_name":"Simulating access to Windows Edge Login Data","platform":"Windows","sigma_rules":[{"rule_name":"Potential Browser Data Stealing","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[]},{"tech_id":"T1555.003","atomic_attack_guid":"70422253-8198-4019-b617-6be401b49fce","atomic_attack_name":"Dump Chrome Login Data with esentutl","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1555.004","atomic_attack_guid":"9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439","atomic_attack_name":"Access Saved Credentials via VaultCmd","platform":"Windows","sigma_rules":[{"rule_name":"Windows Credential Manager Access via VaultCmd","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml"}],"splunk_rules":[]},{"tech_id":"T1560.001","atomic_attack_guid":"8dd61a55-44c6-43cc-af0c-8bdda276860c","atomic_attack_name":"Compress Data and lock with password for Exfiltration with winrar","platform":"Windows","sigma_rules":[{"rule_name":"Rar Usage with Password and Compression Level","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml"}],"splunk_rules":[]},{"tech_id":"T1560.001","atomic_attack_guid":"01df0353-d531-408d-a0c5-3161bf822134","atomic_attack_name":"Compress Data and lock with password for Exfiltration with winzip","platform":"Windows","sigma_rules":[{"rule_name":"Compress Data and Lock With Password for Exfiltration With WINZIP","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1562","atomic_attack_guid":"40075d5f-3a70-4c66-9125-f72bee87247d","atomic_attack_name":"Windows Disable LSA Protection","platform":"Windows","sigma_rules":[{"rule_name":"LSA PPL Protection Disabled Via Reg.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"811b3e76-c41b-430c-ac0d-e2380bfaa164","atomic_attack_name":"Unload Sysmon Filter Driver","platform":"Windows","sigma_rules":[{"rule_name":"Sysmon Driver Unloaded Via Fltmc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml"},{"rule_name":"Filter Driver Unloaded Via Fltmc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"695eed40-e949-40e5-b306-b4031e4154bd","atomic_attack_name":"AMSI Bypass - AMSI InitFailed","platform":"Windows","sigma_rules":[{"rule_name":"Potential AMSI Bypass Via .NET Reflection","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"a1230893-56ac-4c81-b644-2108e982f8f5","atomic_attack_name":"Disable Arbitrary Security Windows Service","platform":"Windows","sigma_rules":[{"rule_name":"Service StartupType Change Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"aa875ed4-8935-47e2-b2c5-6ec00ab220d2","atomic_attack_name":"Tamper with Windows Defender Command Prompt","platform":"Windows","sigma_rules":[{"rule_name":"Service StartupType Change Via Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml"},{"rule_name":"Disable Windows Defender AV Security Monitoring","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml"},{"rule_name":"Suspicious Windows Service Tampering","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"3d47daaa-2f56-43e0-94cc-caf5d8d52a68","atomic_attack_name":"Remove Windows Defender Definition Files","platform":"Windows","sigma_rules":[{"rule_name":"Windows Defender Definition Files Removed","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297","atomic_attack_name":"Uninstall Crowdstrike Falcon on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Uninstall Crowdstrike Falcon Sensor","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml"}],"splunk_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"24a12b91-05a7-4deb-8d7f-035fa98591bc","atomic_attack_name":"Kill antimalware protected processes using Backstab","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","atomic_attack_guid":"66fb0bc1-3c3f-47e9-a298-550ecfefacbc","atomic_attack_name":"Powershell Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1003.002","atomic_attack_guid":"5c2571d0-1572-416d-9676-812e64ca9f44","atomic_attack_name":"Registry dump of SAM, creds, and secrets","platform":"Windows","splunk_rules":[{"rule_name":"Attempted Credential Dump From Registry via Reg exe","rule_link":"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/"}],"sigma_rules":[{"rule_name":"Dumping of Sensitive Hives Via Reg.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"}]},{"tech_id":"T1003.002","atomic_attack_guid":"a90c2f4d-6726-444e-99d2-a00cd7c20480","atomic_attack_name":"esentutl.exe SAM copy","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"}],"splunk_rules":[{"rule_name":"Esentutl SAM Copy","rule_link":"https://research.splunk.com/endpoint/d372f928-ce4f-11eb-a762-acde48001122/"}]},{"tech_id":"T1003.002","atomic_attack_guid":"eeb9751a-d598-42d3-b11c-c122d9c3f6c7","atomic_attack_name":"dump volume shadow copy hives with certutil","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"Potentially Suspicious CMD Shell Output Redirect","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml"},{"rule_name":"Sensitive File Access Via Volume Shadow Copy Backup","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"},{"rule_name":"File Encoded To Base64 Via Certutil.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml"},{"rule_name":"File In Suspicious Location Encoded To Base64 Via Certutil.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml"}],"splunk_rules":[{"rule_name":"Credential Dumping via Copy Command from Shadow Copy","rule_link":"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f","atomic_attack_name":"Create Volume Shadow Copy with vssadmin","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"}],"splunk_rules":[{"rule_name":"Creation of Shadow Copy","rule_link":"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"c6237146-9ea6-4711-85c9-c56d263a6b03","atomic_attack_name":"Copy NTDS.dit from Volume Shadow Copy","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"Sensitive File Access Via Volume Shadow Copy Backup","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"},{"rule_name":"Suspicious Process Patterns NTDS.DIT Exfil","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"},{"rule_name":"Copy From VolumeShadowCopy Via Cmd.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[{"rule_name":"Attempted Credential Dump From Registry via Reg exe","rule_link":"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/"},{"rule_name":"Credential Dumping via Copy Command from Shadow Copy","rule_link":"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"224f7de0-8f0a-4a94-b5d8-989b036c86da","atomic_attack_name":"Create Volume Shadow Copy with WMI","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"},{"rule_name":"System Disk And Volume Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[{"rule_name":"Creation of Shadow Copy","rule_link":"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"d893459f-71f0-484d-9808-ec83b2b64226","atomic_attack_name":"Create Volume Shadow Copy remotely with WMI","platform":"Windows","sigma_rules":[{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"},{"rule_name":"System Disk And Volume Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"},{"rule_name":"Creation of Shadow Copy","rule_link":"https://research.splunk.com/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"21c7bf80-3e8b-40fa-8f9d-f5b194ff2865","atomic_attack_name":"Create Volume Shadow Copy remotely (WMI) with esentutl","platform":"Windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"Suspicious Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"},{"rule_name":"New Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml"},{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"},{"rule_name":"Credential Dumping via Copy Command from Shadow Copy","rule_link":"https://research.splunk.com/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/"},{"rule_name":"Windows WMI Process Call Create","rule_link":"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/"},{"rule_name":"Remote Process Instantiation via WMI","rule_link":"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"21748c28-2793-4284-9e07-d6d028b66702","atomic_attack_name":"Create Symlink to Volume Shadow Copy","platform":"Windows","sigma_rules":[{"rule_name":"VolumeShadowCopy Symlink Creation Via Mklink","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml"},{"rule_name":"Sensitive File Access Via Volume Shadow Copy Backup","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"},{"rule_name":"Shadow Copies Creation Using Operating Systems Utilities","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"}],"splunk_rules":[{"rule_name":"Credential Dumping via Symlink to Shadow Copy","rule_link":"https://research.splunk.com/endpoint/c5eac648-fae0-4263-91a6-773df1f4c903/"}]},{"tech_id":"T1003.003","atomic_attack_guid":"b385996c-0e7d-4e27-95a4-aca046b119a7","atomic_attack_name":"Create Volume Shadow Copy with diskshadow","platform":"Windows","sigma_rules":[{"rule_name":"Diskshadow Script Mode Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"},{"rule_name":"Windows Diskshadow Proxy Execution","rule_link":"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/"}]},{"tech_id":"T1003.004","atomic_attack_guid":"55295ab0-a703-433b-9ca4-ae13807de12f","atomic_attack_name":"Dumping LSA Secrets","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Psexec Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[{"rule_name":"Attempted Credential Dump From Registry via Reg exe","rule_link":"https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/"},{"rule_name":"Detect PsExec With accepteula Flag","rule_link":"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/"}]},{"tech_id":"T1003.004","atomic_attack_guid":"2dfa3bff-9a27-46db-ab75-7faefdaca732","atomic_attack_name":"Dump Kerberos Tickets from LSA using dumper.ps1","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1003.006","atomic_attack_guid":"129efd28-8497-4c87-a1b0-73b9a870ca3e","atomic_attack_name":"DCSync (Active Directory)","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"Operator Bloopers Cobalt Strike Commands","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[{"rule_name":"Windows Mimikatz Binary Execution","rule_link":"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/"}]},{"tech_id":"T1016","atomic_attack_guid":"9bb45dd7-c466-4f93-83a1-be30e56033ee","atomic_attack_name":"Adfind - Enumerate Active Directory Subnet Objects","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"}],"splunk_rules":[{"rule_name":"Windows AdFind Exe","rule_link":"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/"}]},{"tech_id":"T1016","atomic_attack_guid":"34557863-344a-468f-808b-a1bfb89b4fa9","atomic_attack_name":"DNS Server Discovery Using nslookup","platform":"Windows","sigma_rules":[{"rule_name":"Network Reconnaissance Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml"}],"splunk_rules":[{"rule_name":"Windows System Discovery Using ldap Nslookup","rule_link":"https://research.splunk.com/endpoint/2418780f-7c3e-4c45-b8b4-996ea850cd49/"}]},{"tech_id":"T1018","atomic_attack_guid":"85321a9c-897f-4a60-9f20-29788e50bccd","atomic_attack_name":"Remote System Discovery - net","platform":"Windows","sigma_rules":[{"rule_name":"Share And Session Enumeration Using Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[{"rule_name":"Remote System Discovery with Net","rule_link":"https://research.splunk.com/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/"}]},{"tech_id":"T1018","atomic_attack_guid":"f1bf6c8f-9016-4edf-aff9-80b65f5d711f","atomic_attack_name":"Remote System Discovery - net group Domain Computers","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Suspicious Group And Account Reconnaissance Activity Using Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[{"rule_name":"Domain Group Discovery With Net","rule_link":"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/"},{"rule_name":"Remote System Discovery with Net","rule_link":"https://research.splunk.com/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/"}]},{"tech_id":"T1018","atomic_attack_guid":"52ab5108-3f6f-42fb-8ba3-73bc054f22c8","atomic_attack_name":"Remote System Discovery - nltest","platform":"Windows","sigma_rules":[{"rule_name":"Potential Recon Activity Via Nltest.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"},{"rule_name":"Nltest.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[{"rule_name":"Domain Controller Discovery with Nltest","rule_link":"https://research.splunk.com/endpoint/41243735-89a7-4c83-bcdd-570aa78f00a1/"}]},{"tech_id":"T1018","atomic_attack_guid":"a889f5be-2d54-4050-bd05-884578748bb4","atomic_attack_name":"Adfind - Enumerate Active Directory Computer Objects","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[{"rule_name":"Windows AdFind Exe","rule_link":"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/"}]},{"tech_id":"T1018","atomic_attack_guid":"97e89d9e-e3f5-41b5-a90f-1e0825df0fdf","atomic_attack_name":"Enumerate Active Directory Computers with Get-AdComputer","platform":"Windows","splunk_rules":[{"rule_name":"GetAdComputer with PowerShell","rule_link":"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/"},{"rule_name":"GetAdComputer with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getadcomputer_with_powershell_script_block.yml"}],"sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"Active Directory Computers Enumeration With Get-AdComputer","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"}]},{"tech_id":"T1018","atomic_attack_guid":"e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad","atomic_attack_name":"Get-WmiObject to Enumerate Domain Controllers","platform":"Windows","splunk_rules":[{"rule_name":"GetWmiObject Ds Computer with PowerShell","rule_link":"https://research.splunk.com/endpoint/7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3/"},{"rule_name":"GetWmiObject Ds Computer with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml"}],"sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}]},{"tech_id":"T1018","atomic_attack_guid":"5843529a-5056-4bc1-9c13-a311e2af4ca0","atomic_attack_name":"Remote System Discovery - net group Domain Controller","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Suspicious Group And Account Reconnaissance Activity Using Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[{"rule_name":"Domain Group Discovery With Net","rule_link":"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/"}]},{"tech_id":"T1021.002","atomic_attack_guid":"3386975b-367a-4fbb-9d77-4dcf3639ffd3","atomic_attack_name":"Map admin share","platform":"Windows","splunk_rules":[{"rule_name":"CMD Carry Out String Command Parameter","rule_link":"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/"}],"sigma_rules":[{"rule_name":"Windows Admin Share Mount Via Net.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml"},{"rule_name":"Windows Share Mount Via Net.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml"}]},{"tech_id":"T1021.002","atomic_attack_guid":"0eb03d41-79e4-4393-8e57-6344856be1cf","atomic_attack_name":"Copy and Execute File with PsExec","platform":"Windows","sigma_rules":[{"rule_name":"Psexec Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[{"rule_name":"Detect PsExec With accepteula Flag","rule_link":"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/"}]},{"tech_id":"T1021.002","atomic_attack_guid":"d41aaab5-bdfe-431d-a3d5-c29e9136ff46","atomic_attack_name":"Execute command writing output to local Admin Share","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Redirection to Local Admin Share","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml"},{"rule_name":"HackTool - CrackMapExec Execution Patterns","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml"}],"splunk_rules":[{"rule_name":"Impacket Lateral Movement Commandline Parameters","rule_link":"https://research.splunk.com/endpoint/8ce07472-496f-11ec-ab3b-3e22fbd008af/"}]},{"tech_id":"T1021.003","atomic_attack_guid":"6dc74eb1-c9d6-4c53-b3b5-6f50ae339673","atomic_attack_name":"PowerShell Lateral Movement using MMC20","platform":"Windows","splunk_rules":[{"rule_name":"Remote Process Instantiation via DCOM and PowerShell","rule_link":"https://research.splunk.com/endpoint/d4f42098-4680-11ec-ad07-3e22fbd008af/"},{"rule_name":"Remote Process Instantiation via DCOM and PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml"}],"sigma_rules":[]},{"tech_id":"T1021.004","atomic_attack_guid":"280812c8-4dae-43e9-a74e-1d08ab997c0e","atomic_attack_name":"ESXi - Enable SSH via VIM-CMD","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1033","atomic_attack_guid":"1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b","atomic_attack_name":"GetCurrent User with PowerShell Script","platform":"Windows","splunk_rules":[{"rule_name":"GetCurrent User with PowerShell","rule_link":"https://research.splunk.com/endpoint/7eb9c3d5-c98c-4088-acc5-8240bad15379/"},{"rule_name":"GetCurrent User with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getcurrent_user_with_powershell_script_block.yml"},{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}],"sigma_rules":[{"rule_name":"Suspicious PowerShell Get Current User","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml"},{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}]},{"tech_id":"T1036.003","atomic_attack_guid":"24136435-c91a-4ede-9da1-8b284a1c1a23","atomic_attack_name":"Masquerading - wscript.exe running as svchost.exe","platform":"Windows","sigma_rules":[{"rule_name":"LOL-Binary Copied From System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Potential Defense Evasion Via Rename Of Highly Relevant Binaries","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"}],"splunk_rules":[{"rule_name":"CMD Carry Out String Command Parameter","rule_link":"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/"}]},{"tech_id":"T1036.004","atomic_attack_guid":"f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9","atomic_attack_name":"Creating W32Time similar named service using schtasks","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Command Patterns In Scheduled Task Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"},{"rule_name":"Schtasks Creation Or Modification With SYSTEM Privileges","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows Schtasks Create Run As System","rule_link":"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/"}]},{"tech_id":"T1047","atomic_attack_guid":"c107778c-dcf5-47c5-af2e-1d058a3df3ea","atomic_attack_name":"WMI Reconnaissance Users","platform":"Windows","splunk_rules":[{"rule_name":"Local Account Discovery With Wmic","rule_link":"https://research.splunk.com/endpoint/4902d7aa-0134-11ec-9d65-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1047","atomic_attack_guid":"0fd48ef7-d890-4e93-a533-f7dedd5191d3","atomic_attack_name":"WMI Reconnaissance List Remote Services","platform":"Windows","sigma_rules":[{"rule_name":"Service Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml"},{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"}]},{"tech_id":"T1047","atomic_attack_guid":"b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3","atomic_attack_name":"WMI Execute Local Process","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"},{"rule_name":"New Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml"}],"splunk_rules":[{"rule_name":"Windows WMI Process Call Create","rule_link":"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/"}]},{"tech_id":"T1047","atomic_attack_guid":"9c8ef159-c666-472f-9874-90c8d60d136b","atomic_attack_name":"WMI Execute Remote Process","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"},{"rule_name":"New Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml"},{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"},{"rule_name":"Windows WMI Process Call Create","rule_link":"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/"},{"rule_name":"Remote Process Instantiation via WMI","rule_link":"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/"}]},{"tech_id":"T1047","atomic_attack_guid":"7db7a7f9-9531-4840-9b30-46220135441c","atomic_attack_name":"Create a Process using WMI Query and an Encoded Command","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Base64 Encoded Invoke Keyword","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml"},{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"},{"rule_name":"Suspicious PowerShell Parameter Substring","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml"},{"rule_name":"Change PowerShell Policies to an Insecure Level","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"}]},{"tech_id":"T1047","atomic_attack_guid":"00738d2a-4651-4d76-adf2-c43a41dfb243","atomic_attack_name":"WMI Execute rundll32","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"},{"rule_name":"New Process Created Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"},{"rule_name":"Windows WMI Process Call Create","rule_link":"https://research.splunk.com/endpoint/0661c2de-93de-11ec-9833-acde48001122/"},{"rule_name":"Remote Process Instantiation via WMI","rule_link":"https://research.splunk.com/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/"}]},{"tech_id":"T1047","atomic_attack_guid":"c510d25b-1667-467d-8331-a56d3e9bc4ff","atomic_attack_name":"Application uninstall using WMIC","platform":"Windows","sigma_rules":[{"rule_name":"WMIC Remote Command Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"},{"rule_name":"Application Removed Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml"},{"rule_name":"Potential Product Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"}],"splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"}]},{"tech_id":"T1048.002","atomic_attack_guid":"1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0","atomic_attack_name":"Exfiltrate data HTTPS using curl windows","platform":"Windows","splunk_rules":[{"rule_name":"Windows Curl Upload to Remote Destination","rule_link":"https://research.splunk.com/endpoint/42f8f1a2-4228-11ec-aade-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1049","atomic_attack_guid":"f069f0f1-baad-4831-aa2b-eddac4baac4a","atomic_attack_name":"System Network Connections Discovery with PowerShell","platform":"Windows","splunk_rules":[{"rule_name":"GetNetTcpconnection with PowerShell","rule_link":"https://research.splunk.com/endpoint/e02af35c-1de5-4afe-b4be-f45aba57272b/"},{"rule_name":"GetNetTcpconnection with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml"}],"sigma_rules":[{"rule_name":"Use Get-NetTCPConnection - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml"}]},{"tech_id":"T1053.005","atomic_attack_guid":"fec27f65-db86-4c2d-b66c-61945aee87c2","atomic_attack_name":"Scheduled Task Startup Script","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Schtasks Schedule Type With High Privileges","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml"},{"rule_name":"Suspicious Command Patterns In Scheduled Task Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"},{"rule_name":"Schtasks Creation Or Modification With SYSTEM Privileges","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows Schtasks Create Run As System","rule_link":"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","atomic_attack_guid":"2e5eac3e-327b-4a88-a0c0-c4057039a8dd","atomic_attack_name":"Scheduled task Remote","platform":"Windows","sigma_rules":[{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows Schtasks Create Run As System","rule_link":"https://research.splunk.com/endpoint/41a0e58e-884c-11ec-9976-acde48001122/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","atomic_attack_guid":"704333ca-cc12-4bcf-9916-101844881f54","atomic_attack_name":"Scheduled Task (\"Ghost Task\") via Registry Key Manipulation","platform":"Windows","sigma_rules":[{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1055.001","atomic_attack_guid":"8b56f787-73d9-4f1d-87e8-d07e89cbc7f5","atomic_attack_name":"WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Potential WinAPI Calls Via CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1059","atomic_attack_guid":"a9b93f17-31cb-435d-a462-5e838a2a6026","atomic_attack_name":"AutoIt Script Execution","platform":"Windows","splunk_rules":[{"rule_name":"Windows AutoIt3 Execution","rule_link":"https://research.splunk.com/endpoint/0ecb40d9-492b-4a57-9f87-515dd742794c/"}],"sigma_rules":[]},{"tech_id":"T1059.001","atomic_attack_guid":"f3132740-55bc-48c4-bcc0-758a459cd027","atomic_attack_name":"Mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml"},{"rule_name":"Malicious Nishang PowerShell Commandlets","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Keywords","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml"},{"rule_name":"Malicious PowerShell Scripts - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Fileless Script Contains Base64 Encoded Content","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml"},{"rule_name":"Recon Using WMI Class","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/recon_using_wmi_class.yml"},{"rule_name":"Detect Mimikatz With PowerShell Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml"},{"rule_name":"Powershell Fileless Process Injection via GetProcAddress","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"06a220b6-7e29-4bd8-9d07-5b4d86742372","atomic_attack_name":"Invoke-AppPathBypass","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"388a7340-dbc1-4c9d-8e59-b75ad8c6d5da","atomic_attack_name":"Powershell MsXml COM object - with prompt","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious PowerShell IEX Execution Patterns","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml"},{"rule_name":"Suspicious PowerShell Parameter Substring","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml"},{"rule_name":"Change PowerShell Policies to an Insecure Level","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"},{"rule_name":"Powershell MsXml COM Object","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"8a2ad40b-12c7-4b25-8521-2737b0a415af","atomic_attack_name":"Powershell invoke mshta.exe download","platform":"Windows","splunk_rules":[{"rule_name":"CMD Carry Out String Command Parameter","rule_link":"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}],"sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"686a9785-f99b-41d4-90df-66ed515f81d7","atomic_attack_name":"ATHPowerShellCommandLineParameter -Command parameter variations","platform":"Windows","splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}],"sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"1c0a870f-dc74-49cf-9afc-eccc45e58790","atomic_attack_name":"ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"86a43bad-12e3-4e85-b97c-4d5cf25b95c3","atomic_attack_name":"ATHPowerShellCommandLineParameter -EncodedCommand parameter variations","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"0d181431-ddf3-4826-8055-2dbf63ae848b","atomic_attack_name":"ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Execution of Powershell with Base64","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"6a5b2a50-d037-4879-bf01-43d4d6cbf73f","atomic_attack_name":"SOAPHound - Dump BloodHound Data","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - SOAPHound Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows SOAPHound Binary Execution","rule_link":"https://research.splunk.com/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/"},{"rule_name":"User Discovery With Env Vars PowerShell","rule_link":"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","atomic_attack_guid":"4099086c-1470-4223-8085-8186e1ed5948","atomic_attack_name":"SOAPHound - Build Cache","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - SOAPHound Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows SOAPHound Binary Execution","rule_link":"https://research.splunk.com/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/"},{"rule_name":"User Discovery With Env Vars PowerShell","rule_link":"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/"},{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1069.001","atomic_attack_guid":"1f454dd6-e134-44df-bebb-67de70fb6cd8","atomic_attack_name":"Basic Permission Groups Discovery Windows (Local)","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Suspicious Get Local Groups Information","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml"}],"splunk_rules":[{"rule_name":"Net Localgroup Discovery","rule_link":"https://research.splunk.com/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/"}]},{"tech_id":"T1069.001","atomic_attack_guid":"e03ada14-0980-4107-aff1-7783b2b59bb1","atomic_attack_name":"SharpHound3 - LocalAdmin","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Suspicious Get Local Groups Information","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml"}],"splunk_rules":[{"rule_name":"Detect SharpHound Usage","rule_link":"https://research.splunk.com/endpoint/dd04b29a-beed-11eb-87bc-acde48001122/"},{"rule_name":"Detect SharpHound Command-Line Arguments","rule_link":"https://research.splunk.com/endpoint/a0bdd2f6-c2ff-11eb-b918-acde48001122/"}]},{"tech_id":"T1069.001","atomic_attack_guid":"7413be50-be8e-430f-ad4d-07bf197884b2","atomic_attack_name":"Wmic Group Discovery","platform":"Windows","sigma_rules":[{"rule_name":"Local Groups Reconnaissance Via Wmic.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml"},{"rule_name":"Suspicious Get Local Groups Information","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml"}],"splunk_rules":[{"rule_name":"Wmic Group Discovery","rule_link":"https://research.splunk.com/endpoint/83317b08-155b-11ec-8e00-acde48001122/"}]},{"tech_id":"T1069.001","atomic_attack_guid":"69119e58-96db-4110-ad27-954e48f3bb13","atomic_attack_name":"WMIObject Group Discovery","platform":"Windows","splunk_rules":[{"rule_name":"Get WMIObject Group Discovery","rule_link":"https://research.splunk.com/endpoint/5434f670-155d-11ec-8cca-acde48001122/"},{"rule_name":"Get WMIObject Group Discovery with Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml"}],"sigma_rules":[{"rule_name":"Suspicious Get Local Groups Information - PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml"},{"rule_name":"Suspicious Get Local Groups Information","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml"}]},{"tech_id":"T1069.002","atomic_attack_guid":"6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7","atomic_attack_name":"Permission Groups Discovery PowerShell (Domain)","platform":"Windows","splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell","rule_link":"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/"}],"sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1069.002","atomic_attack_guid":"48ddc687-82af-40b7-8472-ff1e742e8274","atomic_attack_name":"Adfind - Query Active Directory Groups","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[{"rule_name":"Windows AdFind Exe","rule_link":"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/"}]},{"tech_id":"T1069.002","atomic_attack_guid":"3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8","atomic_attack_name":"Enumerate Active Directory Groups with Get-AdGroup","platform":"Windows","splunk_rules":[{"rule_name":"GetAdGroup with PowerShell","rule_link":"https://research.splunk.com/endpoint/872e3063-0fc4-4e68-b2f3-f2b99184a708/"},{"rule_name":"GetAdGroup with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getadgroup_with_powershell_script_block.yml"}],"sigma_rules":[{"rule_name":"Active Directory Group Enumeration With Get-AdGroup","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1069.002","atomic_attack_guid":"43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8","atomic_attack_name":"Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)","platform":"Windows","splunk_rules":[{"rule_name":"Get ADUser with PowerShell","rule_link":"https://research.splunk.com/endpoint/0b6ee3f4-04e3-11ec-a87d-acde48001122/"}],"sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1070.004","atomic_attack_guid":"ded937c4-2add-42f7-9c2c-c742b7a98698","atomic_attack_name":"Delete an entire folder - Windows cmd","platform":"Windows","sigma_rules":[{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"},{"rule_name":"Directory Removal Via Rmdir","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml"},{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[{"rule_name":"Windows Indicator Removal Via Rmdir","rule_link":"https://research.splunk.com/endpoint/c4566d2c-b094-48a1-9c59-d66e22065560/"}]},{"tech_id":"T1070.004","atomic_attack_guid":"f723d13d-48dc-4317-9990-cf43a9ac0bf2","atomic_attack_name":"Clears Recycle bin via rd","platform":"Windows","splunk_rules":[{"rule_name":"Recursive Delete of Directory In Batch CMD","rule_link":"https://research.splunk.com/endpoint/ba570b3a-d356-11eb-8358-acde48001122/"}],"sigma_rules":[{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}]},{"tech_id":"T1071.004","atomic_attack_guid":"e7bf9802-2e78-4db9-93b5-181b7bcd37d7","atomic_attack_name":"DNS C2","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1078.001","atomic_attack_guid":"aa6cb8c4-b582-4f8e-b677-37733914abda","atomic_attack_name":"Activate Guest Account","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Manipulation Of Default Accounts Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml"}],"splunk_rules":[{"rule_name":"Network Connection Discovery With Net","rule_link":"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/"}]},{"tech_id":"T1078.003","atomic_attack_guid":"6904235f-0f55-4039-8aed-41c300ff7733","atomic_attack_name":"Use PsExec to elevate to NT Authority\\SYSTEM account","platform":"Windows","sigma_rules":[{"rule_name":"Psexec Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml"},{"rule_name":"Potential Execution of Sysinternals Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml"}],"splunk_rules":[{"rule_name":"Detect PsExec With accepteula Flag","rule_link":"https://research.splunk.com/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/"}]},{"tech_id":"T1082","atomic_attack_guid":"07b18a66-6304-47d2-bad0-ef421eb2e107","atomic_attack_name":"WinPwn - PowerSharpPack - Watson searching for missing windows patches","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1082","atomic_attack_guid":"efb79454-1101-4224-a4d0-30c9c8b29ffc","atomic_attack_name":"WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1082","atomic_attack_guid":"5c16ceb4-ba3a-43d7-b848-a13c1f216d95","atomic_attack_name":"WinPwn - PowerSharpPack - Seatbelt","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1082","atomic_attack_guid":"2040405c-eea6-4c1c-aef3-c2acc430fac9","atomic_attack_name":"ESXi - VM Discovery using ESXCLI","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1082","atomic_attack_guid":"f89812e5-67d1-4f49-86fa-cbc6609ea86a","atomic_attack_name":"ESXi - Darkside system information discovery","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1083","atomic_attack_guid":"4a233a40-caf7-4cf1-890a-c6331bbc72cf","atomic_attack_name":"ESXi - Enumerate VMDKs available on an ESXi Host","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"},{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1087.001","atomic_attack_guid":"a138085e-bfe5-46ba-a242-74a6fb884af3","atomic_attack_name":"Enumerate logged on users via CMD (Local)","platform":"Windows","splunk_rules":[{"rule_name":"System User Discovery With Query","rule_link":"https://research.splunk.com/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/"}],"sigma_rules":[{"rule_name":"Cisco Collect Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}]},{"tech_id":"T1087.001","atomic_attack_guid":"9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c","atomic_attack_name":"ESXi - Local Account Discovery via ESXCLI","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"},{"rule_name":"Cisco Collect Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1087.002","atomic_attack_guid":"6fbc9e68-5ad7-444a-bd11-8bf3136c477e","atomic_attack_name":"Enumerate all accounts (Domain)","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Suspicious Group And Account Reconnaissance Activity Using Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[{"rule_name":"Domain Group Discovery With Net","rule_link":"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/"}]},{"tech_id":"T1087.002","atomic_attack_guid":"161dcd85-d014-4f5e-900c-d3eaae82a0f7","atomic_attack_name":"Enumerate logged on users via CMD (Domain)","platform":"Windows","splunk_rules":[{"rule_name":"System User Discovery With Query","rule_link":"https://research.splunk.com/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/"}],"sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1087.002","atomic_attack_guid":"e1ec8d20-509a-4b9a-b820-06c9b2da8eb7","atomic_attack_name":"Adfind - Enumerate Active Directory User Objects","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[{"rule_name":"Windows AdFind Exe","rule_link":"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/"}]},{"tech_id":"T1087.002","atomic_attack_guid":"c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef","atomic_attack_name":"Enumerate Default Domain Admin Details (Domain)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Manipulation Of Default Accounts Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[{"rule_name":"Account Discovery With Net App","rule_link":"https://research.splunk.com/endpoint/339805ce-ac30-11eb-b87d-acde48001122/"},{"rule_name":"Domain Account Discovery With Net App","rule_link":"https://research.splunk.com/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/"},{"rule_name":"Network Connection Discovery With Net","rule_link":"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/"}]},{"tech_id":"T1087.002","atomic_attack_guid":"394012d9-2164-4d4f-b9e5-acf30ba933fe","atomic_attack_name":"Suspicious LAPS Attributes Query with Get-ADComputer all properties","platform":"Windows","splunk_rules":[{"rule_name":"GetAdComputer with PowerShell","rule_link":"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/"}],"sigma_rules":[{"rule_name":"Active Directory Computers Enumeration With Get-AdComputer","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1087.002","atomic_attack_guid":"6e85bdf9-7bc4-4259-ac0f-f0cb39964443","atomic_attack_name":"Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property","platform":"Windows","splunk_rules":[{"rule_name":"GetAdComputer with PowerShell","rule_link":"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/"}],"sigma_rules":[{"rule_name":"Active Directory Computers Enumeration With Get-AdComputer","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1087.002","atomic_attack_guid":"ffbcfd62-15d6-4989-a21a-80bfc8e58bb5","atomic_attack_name":"Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope","platform":"Windows","splunk_rules":[{"rule_name":"GetAdComputer with PowerShell","rule_link":"https://research.splunk.com/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/"}],"sigma_rules":[{"rule_name":"Active Directory Computers Enumeration With Get-AdComputer","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1095","atomic_attack_guid":"0268e63c-e244-42db-bef7-72a9e59fc1fc","atomic_attack_name":"ICMP C2","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Suspicious DNS Z Flag Bit Set","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1095","atomic_attack_guid":"3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e","atomic_attack_name":"Powercat C2","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious Program Names","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Suspicious DNS Z Flag Bit Set","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1105","atomic_attack_guid":"dd3b61dd-7bbc-48cd-ab51-49ad1a776df0","atomic_attack_name":"certutil download (urlcache)","platform":"Windows","splunk_rules":[{"rule_name":"CMD Carry Out String Command Parameter","rule_link":"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/"}],"sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"Suspicious Download Via Certutil.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"},{"rule_name":"Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml"}]},{"tech_id":"T1105","atomic_attack_guid":"a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b","atomic_attack_name":"Windows - BITSAdmin BITS Download","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Download From File-Sharing Website Via Bitsadmin","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"},{"rule_name":"File Download Via Bitsadmin To A Suspicious Target Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"},{"rule_name":"File Download Via Bitsadmin To An Uncommon Target Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml"},{"rule_name":"File With Suspicious Extension Downloaded Via Bitsadmin","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"File Download Via Bitsadmin","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"}],"splunk_rules":[{"rule_name":"BITSAdmin Download File","rule_link":"https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/"}]},{"tech_id":"T1105","atomic_attack_guid":"42dc4460-9aa6-45d3-b1a6-3955d34e1fe8","atomic_attack_name":"Windows - PowerShell Download","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell DownloadFile","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadFile","rule_link":"https://research.splunk.com/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/"}]},{"tech_id":"T1105","atomic_attack_guid":"54a4daf1-71df-4383-9ba7-f1a295d8b6d2","atomic_attack_name":"File Download via PowerShell","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1105","atomic_attack_guid":"b1729c57-9384-4d1c-9b99-9b220afb384e","atomic_attack_name":"Nimgrab - Transfer Files","platform":"Windows","splunk_rules":[{"rule_name":"CMD Carry Out String Command Parameter","rule_link":"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/"}],"sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}]},{"tech_id":"T1105","atomic_attack_guid":"66ee226e-64cb-4dae-80e3-5bf5763e4a51","atomic_attack_name":"Arbitrary file download using the Notepad++ GUP.exe binary","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious GUP Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"},{"rule_name":"File Download Using Notepad++ GUP Utility","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_download.yml"},{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"}]},{"tech_id":"T1106","atomic_attack_guid":"ce4e76e6-de70-4392-9efe-b281fc2b4087","atomic_attack_name":"WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1106","atomic_attack_guid":"7ec5b74e-8289-4ff2-a162-b6f286a33abd","atomic_attack_name":"WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1106","atomic_attack_guid":"e1f93a06-1649-4f07-89a8-f57279a7d60e","atomic_attack_name":"WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1110.001","atomic_attack_guid":"ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5","atomic_attack_name":"ESXi - Brute Force Until Account Lockout","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1110.002","atomic_attack_guid":"6d27df5d-69d4-4c91-bc33-5983ffe91692","atomic_attack_name":"Password Cracking with Hashcat","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Hashcat Password Cracker Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml"}],"splunk_rules":[{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}]},{"tech_id":"T1112","atomic_attack_guid":"f3a6cceb-06c9-48e5-8df8-8867a6814245","atomic_attack_name":"Change Powershell Execution Policy to Bypass","platform":"Windows","sigma_rules":[{"rule_name":"Change PowerShell Policies to an Insecure Level","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"}]},{"tech_id":"T1112","atomic_attack_guid":"ecbd533e-b45d-4239-aeff-b857c6f6d68b","atomic_attack_name":"Flush Shimcache","platform":"Windows","sigma_rules":[{"rule_name":"ShimCache Flush","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml"}],"splunk_rules":[{"rule_name":"Rundll32 Shimcache Flush","rule_link":"https://research.splunk.com/endpoint/a913718a-25b6-11ec-96d3-acde48001122/"}]},{"tech_id":"T1114.001","atomic_attack_guid":"3f1b5096-0139-4736-9b78-19bcb02bb1cb","atomic_attack_name":"Email Collection with PowerShell Get-Inbox","platform":"Windows","sigma_rules":[{"rule_name":"Use Short Name Path in Command Line","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"},{"rule_name":"Script Interpreter Execution From Suspicious Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml"},{"rule_name":"Suspicious Script Execution From Temp Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml"},{"rule_name":"Change PowerShell Policies to an Insecure Level","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"},{"rule_name":"Powershell Local Email Collection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml"}],"splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"}]},{"tech_id":"T1124","atomic_attack_guid":"d5d5a6b0-0f92-42d8-985d-47aafa2dd4db","atomic_attack_name":"System Time Discovery W32tm as a Delay","platform":"Windows","sigma_rules":[{"rule_name":"Use of W32tm as Timer","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_w32tm.yml"}],"splunk_rules":[{"rule_name":"Windows System Time Discovery W32tm Delay","rule_link":"https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/"}]},{"tech_id":"T1129","atomic_attack_guid":"7f843046-abf2-443f-b880-07a83cf968ec","atomic_attack_name":"ESXi - Install a custom VIB on an ESXi host","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"},{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}]},{"tech_id":"T1134.002","atomic_attack_guid":"ccf4ac39-ec93-42be-9035-90e2f26bcd92","atomic_attack_name":"WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1134.005","atomic_attack_guid":"6bef32e5-9456-4072-8f14-35566fb85401","atomic_attack_name":"Injection SID-History with mimikatz","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"}],"splunk_rules":[{"rule_name":"Windows Mimikatz Binary Execution","rule_link":"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/"}]},{"tech_id":"T1136.001","atomic_attack_guid":"6657864e-0323-4206-9344-ac9cd7265a4f","atomic_attack_name":"Create a new user in a command prompt","platform":"Windows","sigma_rules":[{"rule_name":"New User Created Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml"},{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[{"rule_name":"Network Connection Discovery With Net","rule_link":"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/"}]},{"tech_id":"T1136.001","atomic_attack_guid":"fda74566-a604-4581-a4cc-fbbe21d66559","atomic_attack_name":"Create a new Windows admin user","platform":"Windows","sigma_rules":[{"rule_name":"User Added to Local Administrators Group","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml"},{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"},{"rule_name":"New User Created Via Net.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml"}],"splunk_rules":[{"rule_name":"Net Localgroup Discovery","rule_link":"https://research.splunk.com/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/"}]},{"tech_id":"T1136.001","atomic_attack_guid":"2170d9b5-bacd-4819-a952-da76dae0815f","atomic_attack_name":"Create a new Windows admin user via .NET","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1136.002","atomic_attack_guid":"fcec2963-9951-4173-9bfa-98d8b7834e62","atomic_attack_name":"Create a new Windows domain admin user","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[{"rule_name":"Domain Group Discovery With Net","rule_link":"https://research.splunk.com/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/"},{"rule_name":"Elevated Group Discovery With Net","rule_link":"https://research.splunk.com/endpoint/a23a0e20-0b1b-4a07-82e5-ec5f70811e7a/"}]},{"tech_id":"T1136.002","atomic_attack_guid":"dc7726d2-8ccb-4cc6-af22-0d5afb53a548","atomic_attack_name":"Create a new account similar to ANONYMOUS LOGON","platform":"Windows","sigma_rules":[{"rule_name":"New User Created Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml"},{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[{"rule_name":"Network Connection Discovery With Net","rule_link":"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/"},{"rule_name":"Domain Account Discovery With Net App","rule_link":"https://research.splunk.com/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/"}]},{"tech_id":"T1187","atomic_attack_guid":"7f06b25c-799e-40f1-89db-999c9cc84317","atomic_attack_name":"WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1195","atomic_attack_guid":"82a9f001-94c5-495e-9ed5-f530dbded5e2","atomic_attack_name":"Octopus Scanner Malware Open Source Supply Chain","platform":"Windows","sigma_rules":[{"rule_name":"Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml"},{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"},{"rule_name":"Scheduled Task Creation Via Schtasks.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml"}],"splunk_rules":[{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}]},{"tech_id":"T1197","atomic_attack_guid":"3c73d728-75fb-4180-a12f-6712864d7421","atomic_attack_name":"Bitsadmin Download (cmd)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Download From File-Sharing Website Via Bitsadmin","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"},{"rule_name":"File Download Via Bitsadmin To A Suspicious Target Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"},{"rule_name":"File Download Via Bitsadmin To An Uncommon Target Folder","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml"},{"rule_name":"File With Suspicious Extension Downloaded Via Bitsadmin","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml"},{"rule_name":"File Download Via Bitsadmin","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"}],"splunk_rules":[{"rule_name":"BITSAdmin Download File","rule_link":"https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/"}]},{"tech_id":"T1197","atomic_attack_guid":"f63b8bc4-07e5-4112-acba-56f646f3f0bc","atomic_attack_name":"Bitsadmin Download (PowerShell)","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"PowerShell Start-BitsTransfer","rule_link":"https://research.splunk.com/endpoint/39e2605a-90d8-11eb-899e-acde48001122/"}]},{"tech_id":"T1197","atomic_attack_guid":"afb5e09e-e385-4dee-9a94-6ee60979d114","atomic_attack_name":"Bits download using desktopimgdownldr.exe (cmd)","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Desktopimgdownldr Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml"}],"splunk_rules":[{"rule_name":"CMD Carry Out String Command Parameter","rule_link":"https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/"}]},{"tech_id":"T1201","atomic_attack_guid":"46c2c362-2679-4ef5-aec9-0e958e135be4","atomic_attack_name":"Examine domain password policy - Windows","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"},{"rule_name":"Suspicious Group And Account Reconnaissance Activity Using Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml"}],"splunk_rules":[{"rule_name":"Password Policy Discovery with Net","rule_link":"https://research.splunk.com/endpoint/09336538-065a-11ec-8665-acde48001122/"}]},{"tech_id":"T1201","atomic_attack_guid":"b2698b33-984c-4a1c-93bb-e4ba72a0babb","atomic_attack_name":"Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy","platform":"Windows","splunk_rules":[{"rule_name":"Get ADDefaultDomainPasswordPolicy with Powershell","rule_link":"https://research.splunk.com/endpoint/36e46ebe-065a-11ec-b4c7-acde48001122/"},{"rule_name":"Get ADDefaultDomainPasswordPolicy with Powershell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml"}],"sigma_rules":[{"rule_name":"Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml"}]},{"tech_id":"T1216","atomic_attack_guid":"275d963d-3f36-476c-8bef-a2a3960ee6eb","atomic_attack_name":"SyncAppvPublishingServer Signed Script PowerShell Command Execution","platform":"Windows","sigma_rules":[{"rule_name":"WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml"},{"rule_name":"SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml"}],"splunk_rules":[{"rule_name":"Windows System Script Proxy Execution Syncappvpublishingserver","rule_link":"https://research.splunk.com/endpoint/8dd73f89-682d-444c-8b41-8e679966ad3c/"}]},{"tech_id":"T1218","atomic_attack_guid":"c426dacf-575d-4937-8611-a148a86a5e61","atomic_attack_name":"mavinject - Inject DLL into running process","platform":"Windows","sigma_rules":[{"rule_name":"Mavinject Inject DLL Into Running Process","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[{"rule_name":"Windows Binary Proxy Execution Mavinject DLL Injection","rule_link":"https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/"}]},{"tech_id":"T1218","atomic_attack_guid":"4cc40fd7-87b8-4b16-b2d7-57534b86b911","atomic_attack_name":"Renamed Microsoft.Workflow.Compiler.exe Payload Executions","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Process Masquerading As SvcHost.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml"},{"rule_name":"Uncommon Svchost Parent Process","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml"},{"rule_name":"System File Execution Location Anomaly","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[{"rule_name":"System Processes Run From Unexpected Locations","rule_link":"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/"}]},{"tech_id":"T1218","atomic_attack_guid":"0e1483ba-8f0c-425d-b8c6-42736e058eaa","atomic_attack_name":"DiskShadow Command Execution","platform":"Windows","sigma_rules":[{"rule_name":"Diskshadow Script Mode Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml"},{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[{"rule_name":"Windows Diskshadow Proxy Execution","rule_link":"https://research.splunk.com/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/"}]},{"tech_id":"T1218.001","atomic_attack_guid":"5cb87818-0d7c-4469-b7ef-9224107aebe8","atomic_attack_name":"Compiled HTML Help Local Payload","platform":"Windows","sigma_rules":[{"rule_name":"HH.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"}],"splunk_rules":[{"rule_name":"System Processes Run From Unexpected Locations","rule_link":"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/"}]},{"tech_id":"T1218.001","atomic_attack_guid":"0f8af516-9818-4172-922b-42986ef1e81d","atomic_attack_name":"Compiled HTML Help Remote Payload","platform":"Windows","sigma_rules":[{"rule_name":"HH.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"},{"rule_name":"Remote CHM File Download/Execution Via HH.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml"}],"splunk_rules":[{"rule_name":"System Processes Run From Unexpected Locations","rule_link":"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/"},{"rule_name":"Detect HTML Help URL in Command Line","rule_link":"https://research.splunk.com/endpoint/8c5835b9-39d9-438b-817c-95f14c69a31e/"}]},{"tech_id":"T1218.001","atomic_attack_guid":"15756147-7470-4a83-87fb-bb5662526247","atomic_attack_name":"Invoke CHM Shortcut Command with ITS and Help Topic","platform":"Windows","splunk_rules":[{"rule_name":"Malicious PowerShell Process - Execution Policy Bypass","rule_link":"https://research.splunk.com/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/"}],"sigma_rules":[]},{"tech_id":"T1218.001","atomic_attack_guid":"20cb05e0-1fa5-406d-92c1-84da4ba01813","atomic_attack_name":"Decompile Local CHM File","platform":"Windows","sigma_rules":[{"rule_name":"HH.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"},{"rule_name":"Suspicious HH.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml"}],"splunk_rules":[{"rule_name":"System Processes Run From Unexpected Locations","rule_link":"https://research.splunk.com/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/"},{"rule_name":"Windows System Binary Proxy Execution Compiled HTML File Decompile","rule_link":"https://research.splunk.com/endpoint/2acf0e19-4149-451c-a3f3-39cd3c77e37d/"}]},{"tech_id":"T1218.007","atomic_attack_guid":"0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d","atomic_attack_name":"Msiexec.exe - Execute the DllRegisterServer function of a DLL","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Msiexec Execute Arbitrary DLL","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml"}],"splunk_rules":[{"rule_name":"Windows MSIExec DLLRegisterServer","rule_link":"https://research.splunk.com/endpoint/fdb59aef-d88f-4909-8369-ec2afbd2c398/"}]},{"tech_id":"T1218.007","atomic_attack_guid":"ab09ec85-4955-4f9c-b8e0-6851baf4d47f","atomic_attack_name":"Msiexec.exe - Execute the DllUnregisterServer function of a DLL","platform":"Windows","sigma_rules":[{"rule_name":"DllUnregisterServer Function Call Via Msiexec.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml"}],"splunk_rules":[{"rule_name":"Windows MSIExec Unregister DLLRegisterServer","rule_link":"https://research.splunk.com/endpoint/a27db3c5-1a9a-46df-a577-765d3f1a3c24/"}]},{"tech_id":"T1218.007","atomic_attack_guid":"44a4bedf-ffe3-452e-bee4-6925ab125662","atomic_attack_name":"Msiexec.exe - Execute Remote MSI file","platform":"Windows","sigma_rules":[{"rule_name":"Msiexec Quiet Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"},{"rule_name":"Suspicious Msiexec Quiet Install From Remote Location","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml"}],"splunk_rules":[{"rule_name":"Windows MSIExec Remote Download","rule_link":"https://research.splunk.com/endpoint/6aa49ff2-3c92-4586-83e0-d83eb693dfda/"}]},{"tech_id":"T1218.008","atomic_attack_guid":"2430498b-06c0-4b92-a448-8ad263c388e2","atomic_attack_name":"Odbcconf.exe - Execute Arbitrary DLL","platform":"Windows","sigma_rules":[{"rule_name":"New DLL Registered Via Odbcconf.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml"}],"splunk_rules":[{"rule_name":"Windows Odbcconf Hunting","rule_link":"https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/"},{"rule_name":"Windows Odbcconf Load DLL","rule_link":"https://research.splunk.com/endpoint/141e7fca-a9f0-40fd-a539-9aac8be41f1b/"}]},{"tech_id":"T1218.008","atomic_attack_guid":"331ce274-f9c9-440b-9f8c-a1006e1fce0b","atomic_attack_name":"Odbcconf.exe - Load Response File","platform":"Windows","sigma_rules":[{"rule_name":"Response File Execution Via Odbcconf.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml"}],"splunk_rules":[{"rule_name":"Windows Odbcconf Load Response File","rule_link":"https://research.splunk.com/endpoint/1acafff9-1347-4b40-abae-f35aa4ba85c1/"},{"rule_name":"Windows Odbcconf Hunting","rule_link":"https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/"}]},{"tech_id":"T1218.010","atomic_attack_guid":"449aa403-6aba-47ce-8a37-247d21ef0306","atomic_attack_name":"Regsvr32 local COM scriptlet execution","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Potential Regsvr32 Commandline Flag Anomaly","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml"}],"splunk_rules":[{"rule_name":"Detect Regsvr32 Application Control Bypass","rule_link":"https://research.splunk.com/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/"}]},{"tech_id":"T1218.010","atomic_attack_guid":"c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36","atomic_attack_name":"Regsvr32 remote COM scriptlet execution","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Potential Regsvr32 Commandline Flag Anomaly","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml"},{"rule_name":"Potentially Suspicious Regsvr32 HTTP/FTP Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml"}],"splunk_rules":[{"rule_name":"Detect Regsvr32 Application Control Bypass","rule_link":"https://research.splunk.com/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/"}]},{"tech_id":"T1218.010","atomic_attack_guid":"1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421","atomic_attack_name":"Regsvr32 Registering Non DLL","platform":"Windows","sigma_rules":[{"rule_name":"Scripting/CommandLine Process Spawned Regsvr32","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"},{"rule_name":"Regsvr32 DLL Execution With Suspicious File Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml"},{"rule_name":"Regsvr32 Execution From Potential Suspicious Location","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml"},{"rule_name":"Regsvr32 DLL Execution With Uncommon Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml"}],"splunk_rules":[{"rule_name":"Suspicious Regsvr32 Register Suspicious Path","rule_link":"https://research.splunk.com/endpoint/62732736-6250-11eb-ae93-0242ac130002/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"32d1cf1b-cbc2-4c09-8d05-07ec5c83a821","atomic_attack_name":"Rundll32 execute VBscript command using Ordinal number","platform":"Windows","sigma_rules":[{"rule_name":"Wscript Shell Run In CommandLine","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"},{"rule_name":"DLL Call by Ordinal Via Rundll32.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml"},{"rule_name":"Mshtml.DLL RunHTMLApplication Suspicious Usage","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[{"rule_name":"RunDLL Loading DLL By Ordinal","rule_link":"https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"d91cae26-7fc1-457b-a854-34c8aad48c89","atomic_attack_name":"Rundll32 advpack.dll Execution","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[{"rule_name":"Detect Rundll32 Application Control Bypass - advpack","rule_link":"https://research.splunk.com/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"5e46a58e-cbf6-45ef-a289-ed7754603df9","atomic_attack_name":"Rundll32 ieadvpack.dll Execution","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[{"rule_name":"Detect Rundll32 Application Control Bypass - advpack","rule_link":"https://research.splunk.com/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"41fa324a-3946-401e-bbdd-d7991c628125","atomic_attack_name":"Rundll32 syssetup.dll Execution","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[{"rule_name":"Detect Rundll32 Application Control Bypass - syssetup","rule_link":"https://research.splunk.com/endpoint/71b9bf37-cde1-45fb-b899-1b0aa6fa1183/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"71d771cd-d6b3-4f34-bc76-a63d47a10b19","atomic_attack_name":"Rundll32 setupapi.dll Execution","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[{"rule_name":"Detect Rundll32 Application Control Bypass - setupapi","rule_link":"https://research.splunk.com/endpoint/61e7b44a-6088-4f26-b788-9a96ba13b37a/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"ae3a8605-b26e-457c-b6b3-2702fd335bac","atomic_attack_name":"Execution of non-dll using rundll32.exe","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Rundll32 Execution With Image Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml"},{"rule_name":"Potentially Suspicious PowerShell Child Processes","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml"},{"rule_name":"Rundll32 Execution With Uncommon DLL Extension","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell","rule_link":"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/"},{"rule_name":"Suspicious Rundll32 StartW","rule_link":"https://research.splunk.com/endpoint/9319dda5-73f2-4d43-a85a-67ce961bddb7/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"9fd5a74b-ba89-482a-8a3e-a5feaa3697b0","atomic_attack_name":"Rundll32 with Ordinal Value","platform":"Windows","sigma_rules":[{"rule_name":"DLL Call by Ordinal Via Rundll32.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml"}],"splunk_rules":[{"rule_name":"RunDLL Loading DLL By Ordinal","rule_link":"https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/"}]},{"tech_id":"T1218.011","atomic_attack_guid":"e4c04b6f-c492-4782-82c7-3bf75eb8077e","atomic_attack_name":"Rundll32 with Control_RunDLL","platform":"Windows","sigma_rules":[{"rule_name":"Potentially Suspicious Rundll32 Activity","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"}],"splunk_rules":[{"rule_name":"Rundll32 Control RunDLL Hunt","rule_link":"https://research.splunk.com/endpoint/c8e7ced0-10c5-11ec-8b03-acde48001122/"}]},{"tech_id":"T1219","atomic_attack_guid":"6b8b7391-5c0a-4f8c-baee-78d8ce0ce330","atomic_attack_name":"AnyDesk Files Detected Test on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell","rule_link":"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/"}]},{"tech_id":"T1219","atomic_attack_guid":"1b72b3bd-72f8-4b63-a30b-84e91b9c3578","atomic_attack_name":"GoToAssist Files Detected Test on Windows","platform":"Windows","sigma_rules":[{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"Suspicious Invoke-WebRequest Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell","rule_link":"https://research.splunk.com/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/"}]},{"tech_id":"T1482","atomic_attack_guid":"d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec","atomic_attack_name":"Adfind - Enumerate Active Directory OUs","platform":"Windows","sigma_rules":[{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"}],"splunk_rules":[{"rule_name":"Windows AdFind Exe","rule_link":"https://research.splunk.com/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/"}]},{"tech_id":"T1482","atomic_attack_guid":"ea1b4f2d-5b82-4006-b64f-f2845608a3bf","atomic_attack_name":"TruffleSnout - Listing AD Infrastructure","platform":"Windows","splunk_rules":[{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}],"sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}]},{"tech_id":"T1485","atomic_attack_guid":"476419b5-aebf-4366-a131-ae3e8dae5fc2","atomic_attack_name":"Windows - Overwrite file with SysInternals SDelete","platform":"Windows","splunk_rules":[{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}],"sigma_rules":[]},{"tech_id":"T1485","atomic_attack_guid":"1207ddff-f25b-41b3-aa0e-7c26d2b546d1","atomic_attack_name":"ESXi - Delete VM Snapshots","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1491.001","atomic_attack_guid":"30905f21-34f3-4504-8b4c-f7a5e314b810","atomic_attack_name":"ESXi - Change Welcome Message on Direct Console User Interface (DCUI)","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1505.004","atomic_attack_guid":"53adbdfa-8200-490c-871c-d3b1ab3324b2","atomic_attack_name":"Install IIS Module using AppCmd.exe","platform":"Windows","sigma_rules":[{"rule_name":"IIS Native-Code Module Command Line Installation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml"}],"splunk_rules":[{"rule_name":"Windows IIS Components Add New Module","rule_link":"https://research.splunk.com/endpoint/38fe731c-1f13-43d4-b878-a5bbe44807e3/"}]},{"tech_id":"T1518.001","atomic_attack_guid":"e31564c8-4c60-40cd-a8f4-9261307e8336","atomic_attack_name":"Get Windows Defender exclusion settings using WMIC","platform":"Windows","splunk_rules":[{"rule_name":"Remote WMI Command Attempt","rule_link":"https://research.splunk.com/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/"}],"sigma_rules":[]},{"tech_id":"T1529","atomic_attack_guid":"987c9b4d-a637-42db-b1cb-e9e242c3991b","atomic_attack_name":"ESXi - Terminates VMs using pkill","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1529","atomic_attack_guid":"189f7d6e-9442-4160-9bc3-5e4104d93ece","atomic_attack_name":"ESXi - Avoslocker enumerates VMs and forcefully kills VMs","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1529","atomic_attack_guid":"622cc1a0-45e7-428c-aed7-c96dd605fbe6","atomic_attack_name":"ESXi - vim-cmd Used to Power Off VMs","platform":"Windows","sigma_rules":[{"rule_name":"Tunneling Tool Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Protocol Tunneling with Plink","rule_link":"https://research.splunk.com/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/"}]},{"tech_id":"T1531","atomic_attack_guid":"1b99ef28-f83c-4ec5-8a08-1a56263a5bb2","atomic_attack_name":"Change User Password - Windows","platform":"Windows","sigma_rules":[{"rule_name":"Net.EXE Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml"}],"splunk_rules":[{"rule_name":"Network Connection Discovery With Net","rule_link":"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/"}]},{"tech_id":"T1531","atomic_attack_guid":"f21a1d7d-a62f-442a-8c3a-2440d43b19e5","atomic_attack_name":"Delete User - Windows","platform":"Windows","sigma_rules":[{"rule_name":"New User Created Via Net.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml"}],"splunk_rules":[{"rule_name":"Network Connection Discovery With Net","rule_link":"https://research.splunk.com/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/"}]},{"tech_id":"T1543.003","atomic_attack_guid":"fb4151a2-db33-4f8c-b7f8-78ea8790f961","atomic_attack_name":"Remote Service Installation CMD","platform":"Windows","sigma_rules":[{"rule_name":"New Service Creation Using Sc.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml"},{"rule_name":"Suspicious New Service Creation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"}],"splunk_rules":[{"rule_name":"Windows Service Creation on Remote Endpoint","rule_link":"https://research.splunk.com/endpoint/e0eea4fa-4274-11ec-882b-3e22fbd008af/"},{"rule_name":"Windows Service Initiation on Remote Endpoint","rule_link":"https://research.splunk.com/endpoint/3f519894-4276-11ec-ab02-3e22fbd008af/"},{"rule_name":"Windows Remote Create Service","rule_link":"https://research.splunk.com/endpoint/0dc44d03-8c00-482d-ba7c-796ba7ab18c9/"}]},{"tech_id":"T1546.003","atomic_attack_guid":"29786d7e-8916-4de6-9c55-be7b093b2706","atomic_attack_name":"Windows MOFComp.exe Load MOF File","platform":"Windows","sigma_rules":[{"rule_name":"Potential Suspicious Mofcomp Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml"}],"splunk_rules":[{"rule_name":"Windows MOF Event Triggered Execution via WMI","rule_link":"https://research.splunk.com/endpoint/e59b5a73-32bf-4467-a585-452c36ae10c1/"}]},{"tech_id":"T1548.002","atomic_attack_guid":"f7a35090-6f7f-4f64-bb47-d657bf5b10c1","atomic_attack_name":"Bypass UAC by Mocking Trusted Directories","platform":"Windows","sigma_rules":[{"rule_name":"Suspicious Copy From or To System Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"}],"splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"}]},{"tech_id":"T1548.002","atomic_attack_guid":"2b61977b-ae2d-4ae4-89cb-5c36c89586be","atomic_attack_name":"WinPwn - UAC Bypass DccwBypassUAC technique","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1550.002","atomic_attack_guid":"ec23cef9-27d9-46e4-a68d-6f75f7b86908","atomic_attack_name":"Mimikatz Pass the Hash","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"}],"splunk_rules":[{"rule_name":"Windows Mimikatz Binary Execution","rule_link":"https://research.splunk.com/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/"}]},{"tech_id":"T1550.003","atomic_attack_guid":"dbf38128-7ba7-4776-bedf-cc2eed432098","atomic_attack_name":"Mimikatz Kerberos Ticket Attack","platform":"Windows","sigma_rules":[{"rule_name":"HackTool - Mimikatz Execution","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"}],"splunk_rules":[{"rule_name":"Mimikatz PassTheTicket CommandLine Parameters","rule_link":"https://research.splunk.com/endpoint/13bbd574-83ac-11ec-99d4-acde48001122/"}]},{"tech_id":"T1552.001","atomic_attack_guid":"b0cdacf6-8949-4ffe-9274-a9643a788e55","atomic_attack_name":"List Credential Files via Command Prompt","platform":"Windows","splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"}],"sigma_rules":[]},{"tech_id":"T1552.004","atomic_attack_guid":"520ce462-7ca7-441e-b5a5-f8347f632696","atomic_attack_name":"Private Keys","platform":"Windows","sigma_rules":[{"rule_name":"Private Keys Reconnaissance Via CommandLine Tools","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml"},{"rule_name":"File And SubFolder Enumeration Via Dir Command","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml"}],"splunk_rules":[{"rule_name":"Windows Private Keys Discovery","rule_link":"https://research.splunk.com/endpoint/5c1c2877-06c0-40ee-a1a2-db71f1372b5b/"}]},{"tech_id":"T1552.006","atomic_attack_guid":"870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f","atomic_attack_name":"GPP Passwords (findstr)","platform":"Windows","sigma_rules":[{"rule_name":"Potential Password Reconnaissance Via Findstr.EXE","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml"},{"rule_name":"Findstr GPP Passwords","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml"}],"splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"},{"rule_name":"Windows Findstr GPP Discovery","rule_link":"https://research.splunk.com/endpoint/1631ac2d-f2a9-42fa-8a59-d6e210d472f5/"}]},{"tech_id":"T1555.003","atomic_attack_guid":"e5e3d639-6ea8-4408-9ecd-d5a286268ca0","atomic_attack_name":"WinPwn - PowerSharpPack - Sharpweb for Browser Credentials","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1555.004","atomic_attack_guid":"fa714db1-63dd-479e-a58e-7b2b52ca5997","atomic_attack_name":"WinPwn - Loot local Credentials - Invoke-WCMDump","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1558.003","atomic_attack_guid":"14625569-6def-4497-99ac-8e7817105b55","atomic_attack_name":"Rubeus kerberoast","platform":"Windows","splunk_rules":[{"rule_name":"Rubeus Command Line Parameters","rule_link":"https://research.splunk.com/endpoint/cca37478-8377-11ec-b59a-acde48001122/"},{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}],"sigma_rules":[]},{"tech_id":"T1558.003","atomic_attack_guid":"e6f4affd-d826-4871-9a62-6c9004b8fe06","atomic_attack_name":"Extract all accounts in use as SPN using setspn","platform":"Windows","splunk_rules":[{"rule_name":"ServicePrincipalNames Discovery with SetSPN","rule_link":"https://research.splunk.com/endpoint/ae8b3efc-2d2e-11ec-8b57-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1558.003","atomic_attack_guid":"29094950-2c96-4cbd-b5e4-f7c65079678f","atomic_attack_name":"WinPwn - PowerSharpPack - Kerberoasting Using Rubeus","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1558.004","atomic_attack_guid":"615bd568-2859-41b5-9aed-61f6a88e48dd","atomic_attack_name":"Rubeus asreproast","platform":"Windows","splunk_rules":[{"rule_name":"Rubeus Command Line Parameters","rule_link":"https://research.splunk.com/endpoint/cca37478-8377-11ec-b59a-acde48001122/"},{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}],"sigma_rules":[]},{"tech_id":"T1558.004","atomic_attack_guid":"8c385f88-4d47-4c9a-814d-93d9deec8c71","atomic_attack_name":"WinPwn - PowerSharpPack - Kerberoasting Using Rubeus","platform":"Windows","sigma_rules":[{"rule_name":"PowerShell Download and Execution Cradles","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"PowerShell Web Download","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Any Powershell DownloadString","rule_link":"https://research.splunk.com/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/"}]},{"tech_id":"T1560.001","atomic_attack_guid":"d1334303-59cb-4a03-8313-b3e24d02c198","atomic_attack_name":"Compress Data and lock with password for Exfiltration with 7zip","platform":"Windows","splunk_rules":[{"rule_name":"Windows Password Managers Discovery","rule_link":"https://research.splunk.com/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/"}],"sigma_rules":[]},{"tech_id":"T1562.001","atomic_attack_guid":"871438ac-7d6e-432a-b27d-3e7db69faf58","atomic_attack_name":"Disable Windows Defender with DISM","platform":"Windows","sigma_rules":[{"rule_name":"Dism Remove Online Package","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml"}],"splunk_rules":[{"rule_name":"Windows DISM Remove Defender","rule_link":"https://research.splunk.com/endpoint/8567da9e-47f0-11ec-99a9-acde48001122/"}]},{"tech_id":"T1001.002","atomic_attack_guid":"4ff61684-ad91-405c-9fbc-048354ff1d07","atomic_attack_name":"Execute Embedded Script in Image via Steganography","platform":"Linux","sigma_rules":[{"rule_name":"Linux Base64 Encoded Pipe to Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml"},{"rule_name":"Linux Shell Pipe to Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml"}],"splunk_rules":[]},{"tech_id":"T1003.007","atomic_attack_guid":"7e91138a-8e74-456d-a007-973d67a0bb80","atomic_attack_name":"Dump individual process memory with sh (Local)","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[]},{"tech_id":"T1003.007","atomic_attack_guid":"fa37b633-e097-4415-b2b8-c5bf4c86e423","atomic_attack_name":"Dump individual process memory with sh on FreeBSD (Local)","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[]},{"tech_id":"T1003.007","atomic_attack_guid":"437b2003-a20d-4ed8-834c-4964f24eec63","atomic_attack_name":"Dump individual process memory with Python (Local)","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[]},{"tech_id":"T1003.008","atomic_attack_guid":"3723ab77-c546-403c-8fb4-bb577033b235","atomic_attack_name":"Access /etc/shadow (Local)","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1003.008","atomic_attack_guid":"60e860b6-8ae6-49db-ad07-5e73edd88f5d","atomic_attack_name":"Access /etc/passwd (Local)","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"158bd4dd-6359-40ab-b13c-285b9ef6fa25","atomic_attack_name":"Remote System Discovery - ip neighbour","platform":"Linux","sigma_rules":[{"rule_name":"System Network Discovery - Linux","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","atomic_attack_guid":"1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1","atomic_attack_name":"Remote System Discovery - ip route","platform":"Linux","sigma_rules":[{"rule_name":"System Network Discovery - Linux","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1027.001","atomic_attack_guid":"ffe2346c-abd5-4b45-a713-bf5f1ebd573a","atomic_attack_name":"Pad Binary to Change Hash - Linux/macOS dd","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1027.002","atomic_attack_guid":"11c46cd8-e471-450e-acb8-52a1216ae6a4","atomic_attack_name":"Binary simply packed by UPX (linux)","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1027.002","atomic_attack_guid":"f06197f8-ff46-48c2-a0c6-afc1b50665e1","atomic_attack_name":"Binary packed by UPX, with modified headers (linux)","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1030","atomic_attack_guid":"ab936c51-10f4-46ce-9144-e02137b2016a","atomic_attack_name":"Data Transfer Size Limits","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","atomic_attack_guid":"a315bfff-7a98-403b-b442-2ea1b255e556","atomic_attack_name":"Masquerading as FreeBSD or Linux crond process.","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1036.004","atomic_attack_guid":"f0e3aaea-5cd9-4db6-a077-631dd19b27a8","atomic_attack_name":"linux rename /proc/pid/comm using prctl","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1036.004","atomic_attack_guid":"ad4b73c2-d6e2-4d8b-9868-4c6f55906e01","atomic_attack_name":"Hiding a malicious process with bind mounts","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"7fe741f7-b265-4951-a7c7-320889083b3e","atomic_attack_name":"Packet Capture Linux using tshark or tcpdump","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"c93f2492-9ebe-44b5-8b45-36574cccfe67","atomic_attack_name":"Packet Capture FreeBSD using tshark or tcpdump","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[]},{"tech_id":"T1003.007","atomic_attack_guid":"a27418de-bdce-4ebd-b655-38f04842bf0c","atomic_attack_name":"Capture Passwords with MimiPenguin","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1005","atomic_attack_guid":"00cbb875-7ae4-4cf1-b638-e543fd825300","atomic_attack_name":"Find and dump sqlite databases (Linux)","platform":"Linux","splunk_rules":[{"rule_name":"Linux Common Process For Elevation Control","rule_link":"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1014","atomic_attack_guid":"dfb50072-e45a-4c75-a17e-a484809c8553","atomic_attack_name":"Loadable Kernel Module based Rootkit","platform":"Linux","splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"},{"rule_name":"Linux Insert Kernel Module Using Insmod Utility","rule_link":"https://research.splunk.com/endpoint/18b5a1a0-6326-11ec-943a-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1014","atomic_attack_guid":"75483ef8-f10f-444a-bf02-62eb0e48db6f","atomic_attack_name":"Loadable Kernel Module based Rootkit","platform":"Linux","splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1027","atomic_attack_guid":"f45df6be-2e1e-4136-a384-8f18ab3826fb","atomic_attack_name":"Decode base64 Data into Script","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[{"rule_name":"Linux Common Process For Elevation Control","rule_link":"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/"}]},{"tech_id":"T1036.005","atomic_attack_guid":"812c3ab8-94b0-4698-a9bf-9420af23ce24","atomic_attack_name":"Execute a process from a directory masquerading as the current parent directory.","platform":"Linux","splunk_rules":[{"rule_name":"Windows Command and Scripting Interpreter Hunting Path Traversal","rule_link":"https://research.splunk.com/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/"}],"sigma_rules":[]},{"tech_id":"T1036.006","atomic_attack_guid":"b95ce2eb-a093-4cd8-938d-5258cef656ea","atomic_attack_name":"Space After Filename","platform":"Linux","splunk_rules":[{"rule_name":"Linux Common Process For Elevation Control","rule_link":"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1037.004","atomic_attack_guid":"c33f3d80-5f04-419b-a13a-854d1cbdbf3a","atomic_attack_name":"rc.common","platform":"Linux","splunk_rules":[{"rule_name":"Linux Common Process For Elevation Control","rule_link":"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1037.004","atomic_attack_guid":"126f71af-e1c9-405c-94ef-26a47b16c102","atomic_attack_name":"rc.local","platform":"Linux","splunk_rules":[{"rule_name":"Linux Common Process For Elevation Control","rule_link":"https://research.splunk.com/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/"}],"sigma_rules":[]},{"tech_id":"T1040","atomic_attack_guid":"e2028771-1bfb-48f5-b5e6-e50ee0942a14","atomic_attack_name":"Packet Capture FreeBSD using /dev/bpfN with sudo","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1040","atomic_attack_guid":"a3a0d4c9-c068-4563-a08d-583bd05b884c","atomic_attack_name":"Filtered Packet Capture FreeBSD using /dev/bpfN with sudo","platform":"Linux","sigma_rules":[{"rule_name":"Bash Interactive Shell","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1040","atomic_attack_guid":"10c710c9-9104-4d5f-8829-5b65391e2a29","atomic_attack_name":"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1040","atomic_attack_guid":"7a0895f0-84c1-4adf-8491-a21510b1d4c1","atomic_attack_name":"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1040","atomic_attack_guid":"515575ab-d213-42b1-aa64-ef6a2dd4641b","atomic_attack_name":"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1040","atomic_attack_guid":"b1cbdf8b-6078-48f5-a890-11ea19d7f8e9","atomic_attack_name":"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo","platform":"Linux","sigma_rules":[{"rule_name":"Execution Of Script Located In Potentially Suspicious Directory","rule_link":"https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"}],"splunk_rules":[{"rule_name":"Linux Sudo OR Su Execution","rule_link":"https://research.splunk.com/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/"}]},{"tech_id":"T1033","test_number":3,"atomic_attack_guid":"29857f27-a36f-4f7e-8084-4557cd6207ca","atomic_attack_name":"Find computers where user has session - Stealth mode (PowerView)","platform":"windows","sigma_rules":[{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}]},{"tech_id":"T1033","test_number":4,"atomic_attack_guid":"dcb6cdee-1fb0-4087-8bf8-88cfd136ba51","atomic_attack_name":"User Discovery With Env Vars PowerShell Script","platform":"windows","sigma_rules":[{"rule_name":"Suspicious PowerShell Get Current User","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml"},{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}]},{"tech_id":"T1033","test_number":6,"atomic_attack_guid":"3d257a03-eb80-41c5-b744-bb37ac7f65c7","atomic_attack_name":"System Discovery - SocGholish whoami","platform":"windows","sigma_rules":[{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"},{"rule_name":"Enumerate All Information With Whoami.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}]},{"tech_id":"T1033","test_number":7,"atomic_attack_guid":"ba38e193-37a6-4c41-b214-61b33277fe36","atomic_attack_name":"System Owner/User Discovery Using Command Prompt","platform":"windows","sigma_rules":[{"rule_name":"Renamed Whoami Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"User Discovery With Env Vars PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml"}]},{"tech_id":"T1003","test_number":2,"atomic_attack_guid":"9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6","atomic_attack_name":"Credential Dumping with NPPSpy","platform":"windows","sigma_rules":[{"rule_name":"Potential Credential Dumping Attempt Using New NetworkProvider - CLI","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","test_number":3,"atomic_attack_guid":"7ae7102c-a099-45c8-b985-4c7a2d05790d","atomic_attack_name":"Dump LSASS.exe Memory using direct system calls and API unhooking","platform":"windows","sigma_rules":[{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","test_number":5,"atomic_attack_guid":"dea6c349-f1c6-44f3-87a1-1ed33a59a607","atomic_attack_name":"Dump LSASS.exe Memory using Windows Task Manager","platform":"windows","sigma_rules":[{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","test_number":7,"atomic_attack_guid":"c37bc535-5c62-4195-9cc3-0517673171d8","atomic_attack_name":"LSASS read with pypykatz","platform":"windows","sigma_rules":[{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","test_number":8,"atomic_attack_guid":"6502c8f0-b775-4dbd-9193-1298f56b6781","atomic_attack_name":"Dump LSASS.exe Memory using Out-Minidump.ps1","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Get-Process LSASS in ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","test_number":11,"atomic_attack_guid":"9d0072c8-7cca-45c4-bd14-f852cfa35cf0","atomic_attack_name":"Dump LSASS with createdump.exe from .Net v5","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Get-Process LSASS in ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Renamed CreateDump Utility Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml"}],"splunk_rules":[]},{"tech_id":"T1003.001","test_number":13,"atomic_attack_guid":"47a539d1-61b9-4364-bf49-a68bc2a95ef0","atomic_attack_name":"Dump LSASS.exe using lolbin rdrleakdiag.exe","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Get-Process LSASS in ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml"},{"rule_name":"Mimikatz Use","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml"},{"rule_name":"LSASS Dump Keyword In CommandLine","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"},{"rule_name":"Process Memory Dump via RdrLeakDiag.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"}],"splunk_rules":[{"rule_name":"Create Remote Thread into LSASS","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/create_remote_thread_into_lsass.yml"}]},{"tech_id":"T1003.002","test_number":6,"atomic_attack_guid":"9d77fed7-05f8-476e-a81b-8ff0472c64d0","atomic_attack_name":"dump volume shadow copy hives with System.IO.File","platform":"windows","sigma_rules":[{"rule_name":"Copying Sensitive Files with Credential Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"},{"rule_name":"PowerShell SAM Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml"}],"splunk_rules":[{"rule_name":"Detect Copy of ShadowCopy with Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml"}]},{"tech_id":"T1003.002","test_number":7,"atomic_attack_guid":"0c0f5f06-166a-4f4d-bb4a-719df9a01dbb","atomic_attack_name":"WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes","platform":"windows","sigma_rules":[],"splunk_rules":[{"rule_name":"Detect Copy of ShadowCopy with Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml"}]},{"tech_id":"T1003.002","test_number":8,"atomic_attack_guid":"21df41be-cdd8-4695-a650-c3981113aa3c","atomic_attack_name":"Dumping of SAM, creds, and secrets(Reg Export)","platform":"windows","sigma_rules":[{"rule_name":"Dumping of Sensitive Hives Via Reg.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"}],"splunk_rules":[]},{"tech_id":"T1005","test_number":1,"atomic_attack_guid":"d3d9af44-b8ad-4375-8b0a-4bff4b7e419c","atomic_attack_name":"Search files of interest and save them to a single zip file (Windows)","platform":"windows","sigma_rules":[{"rule_name":"Cisco Collect Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml"}],"splunk_rules":[]},{"tech_id":"T1006","test_number":1,"atomic_attack_guid":"88f6327e-51ec-4bbf-b2e8-3fea534eab8b","atomic_attack_name":"Read volume boot sector via DOS device path (PowerShell)","platform":"windows","sigma_rules":[{"rule_name":"Potential Defense Evasion Via Raw Disk Access By Uncommon Tools","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml"}],"splunk_rules":[]},{"tech_id":"T1012","test_number":1,"atomic_attack_guid":"8f7578c4-9863-4d83-875c-a565573bbdf0","atomic_attack_name":"Query Registry","platform":"windows","sigma_rules":[{"rule_name":"Potential Configuration And Service Reconnaissance Via Reg.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml"}],"splunk_rules":[]},{"tech_id":"T1016","test_number":2,"atomic_attack_guid":"038263cb-00f4-4b0a-98ae-0696c67e1752","atomic_attack_name":"List Windows Firewall Rules","platform":"windows","sigma_rules":[{"rule_name":"Firewall Configuration Discovery Via Netsh.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1016","test_number":7,"atomic_attack_guid":"121de5c6-5818-4868-b8a7-8fd07c455c1b","atomic_attack_name":"Qakbot Recon","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Network Command","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml"}],"splunk_rules":[]},{"tech_id":"T1018","test_number":5,"atomic_attack_guid":"2d5a61f5-0447-4be4-944a-1f8530ed6574","atomic_attack_name":"Remote System Discovery - arp","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","test_number":8,"atomic_attack_guid":"baa01aaa-5e13-45ec-8a0d-e46c93c9760f","atomic_attack_name":"Remote System Discovery - nslookup","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"Suspicious Scan Loop Network","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"}],"splunk_rules":[]},{"tech_id":"T1018","test_number":9,"atomic_attack_guid":"95e19466-469e-4316-86d2-1dc401b5a959","atomic_attack_name":"Remote System Discovery - adidnsdump","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1018","test_number":11,"atomic_attack_guid":"5838c31e-a0e2-4b9f-b60a-d79d2cb7995e","atomic_attack_name":"Adfind - Enumerate Active Directory Domain Controller Objects","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"}],"splunk_rules":[]},{"tech_id":"T1018","test_number":16,"atomic_attack_guid":"962a6017-1c09-45a6-880b-adc9c57cb22e","atomic_attack_name":"Enumerate domain computers within Active Directory using DirectorySearcher","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"DirectorySearcher Powershell Exploitation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml"},{"rule_name":"Renamed AdFind Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"},{"rule_name":"PUA - AdFind Suspicious Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"}],"splunk_rules":[]},{"tech_id":"T1018","test_number":19,"atomic_attack_guid":"b9d2e8ca-5520-4737-8076-4f08913da2c4","atomic_attack_name":"Get-DomainController with PowerView","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[{"rule_name":"GetDomainComputer with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml"},{"rule_name":"Windows PowerView Unconstrained Delegation Discovery","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml"},{"rule_name":"GetDomainController with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml"}]},{"tech_id":"T1020","test_number":1,"atomic_attack_guid":"9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0","atomic_attack_name":"IcedID Botnet HTTP PUT","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Script With File Upload Capabilities","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml"}],"splunk_rules":[]},{"tech_id":"T1020","test_number":2,"atomic_attack_guid":"5b380e96-b0ef-4072-8a8e-f194cb9eb9ac","atomic_attack_name":"Exfiltration via Encrypted FTP","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Script With File Upload Capabilities","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml"}],"splunk_rules":[]},{"tech_id":"T1021.001","test_number":1,"atomic_attack_guid":"355d4632-8cb9-449d-91ce-b566d0253d3e","atomic_attack_name":"RDP to DomainController","platform":"windows","sigma_rules":[{"rule_name":"Publicly Accessible RDP Service","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml"},{"rule_name":"New Remote Desktop Connection Initiated Via Mstsc.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1021.001","test_number":2,"atomic_attack_guid":"2f840dd4-8a2e-4f44-beb3-6b2399ea3771","atomic_attack_name":"Changing RDP Port to Non Standard Port via Powershell","platform":"windows","sigma_rules":[{"rule_name":"Publicly Accessible RDP Service","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/zeek/zeek_rdp_public_listener.yml"}],"splunk_rules":[{"rule_name":"Allow Inbound Traffic In Firewall Rule","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml"}]},{"tech_id":"T1021.002","test_number":2,"atomic_attack_guid":"514e9cd7-9207-4882-98b1-c8f791bae3c5","atomic_attack_name":"Map Admin Share PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Suspicious New-PSDrive to Admin Share","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml"}],"splunk_rules":[]},{"tech_id":"T1021.006","test_number":1,"atomic_attack_guid":"9059e8de-3d7d-4954-a322-46161880b9cf","atomic_attack_name":"Enable Windows Remote Management","platform":"windows","sigma_rules":[{"rule_name":"Enable Windows Remote Management","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml"}],"splunk_rules":[]},{"tech_id":"T1021.006","test_number":2,"atomic_attack_guid":"5295bd61-bd7e-4744-9d52-85962a4cf2d6","atomic_attack_name":"Remote Code Execution with PS Credentials Using Invoke-Command","platform":"windows","sigma_rules":[{"rule_name":"Execute Invoke-command on Remote Host","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml"},{"rule_name":"Enable Windows Remote Management","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml"}],"splunk_rules":[{"rule_name":"Remote Process Instantiation via WinRM and PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml"}]},{"tech_id":"T1027","test_number":3,"atomic_attack_guid":"450e7218-7915-4be4-8b9b-464a49eafcec","atomic_attack_name":"Execute base64-encoded PowerShell from Windows Registry","platform":"windows","sigma_rules":[{"rule_name":"Base64 Encoded PowerShell Command Detected","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml"}],"splunk_rules":[{"rule_name":"Powershell Fileless Script Contains Base64 Encoded Content","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml"}]},{"tech_id":"T1027","test_number":7,"atomic_attack_guid":"8b3f4ed6-077b-4bdd-891c-2d237f19410f","atomic_attack_name":"Obfuscated Command in PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Potential PowerShell Command Line Obfuscation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml"}],"splunk_rules":[]},{"tech_id":"T1027.004","test_number":1,"atomic_attack_guid":"ffcdbd6a-b0e8-487d-927a-09127fe9a206","atomic_attack_name":"Compile After Delivery using csc.exe","platform":"windows","sigma_rules":[{"rule_name":"Csc.EXE Execution Form Potentially Suspicious Parent","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","test_number":6,"atomic_attack_guid":"bc15c13f-d121-4b1f-8c7d-28d95854d086","atomic_attack_name":"Masquerading - non-windows exe running as windows exe","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Start-Process PassThru","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml"}],"splunk_rules":[]},{"tech_id":"T1036.003","test_number":7,"atomic_attack_guid":"c3d24a39-2bfe-4c6a-b064-90cd73896cb0","atomic_attack_name":"Masquerading - windows exe running as different windows exe","platform":"windows","sigma_rules":[{"rule_name":"Potential Defense Evasion Via Binary Rename","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml"}],"splunk_rules":[]},{"tech_id":"T1036.005","test_number":2,"atomic_attack_guid":"35eb8d16-9820-4423-a2a1-90c4f5edd9ca","atomic_attack_name":"Masquerade as a built-in system executable","platform":"windows","sigma_rules":[{"rule_name":"Files With System Process Name In Unsuspected Locations","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml"}],"splunk_rules":[]},{"tech_id":"T1040","test_number":16,"atomic_attack_guid":"9c15a7de-de14-46c3-bc2a-6d94130986ae","atomic_attack_name":"PowerShell Network Sniffing","platform":"windows","sigma_rules":[{"rule_name":"Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml"}],"splunk_rules":[]},{"tech_id":"T1046","test_number":5,"atomic_attack_guid":"54574908-f1de-4356-9021-8053dd57439a","atomic_attack_name":"WinPwn - spoolvulnscan","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1046","test_number":6,"atomic_attack_guid":"97585b04-5be2-40e9-8c31-82157b8af2d6","atomic_attack_name":"WinPwn - MS17-10","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1046","test_number":7,"atomic_attack_guid":"1cca5640-32a9-46e6-b8e0-fabbe2384a73","atomic_attack_name":"WinPwn - bluekeep","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1046","test_number":8,"atomic_attack_guid":"bb037826-cbe8-4a41-93ea-b94059d6bb98","atomic_attack_name":"WinPwn - fruit","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1048","test_number":3,"atomic_attack_guid":"c943d285-ada3-45ca-b3aa-7cd6500c6a48","atomic_attack_name":"DNSExfiltration (doh)","platform":"windows","sigma_rules":[{"rule_name":"Powershell DNSExfiltration","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml"}],"splunk_rules":[]},{"tech_id":"T1048.003","test_number":2,"atomic_attack_guid":"dd4b4421-2e25-4593-90ae-7021947ad12e","atomic_attack_name":"Exfiltration Over Alternative Protocol - ICMP","platform":"windows","sigma_rules":[{"rule_name":"PowerShell ICMP Exfiltration","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml"}],"splunk_rules":[]},{"tech_id":"T1049","test_number":1,"atomic_attack_guid":"0940a971-809a-48f1-9c4d-b1d785e96ee5","atomic_attack_name":"System Network Connections Discovery","platform":"windows","sigma_rules":[{"rule_name":"System Network Connections Discovery Via Net.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml"}],"splunk_rules":[{"rule_name":"GetNetTcpconnection with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml"}]},{"tech_id":"T1049","test_number":3,"atomic_attack_guid":"b52c8233-8f71-4bd7-9928-49fec8215cf5","atomic_attack_name":"System Network Connections Discovery via PowerShell (Process Mapping)","platform":"windows","sigma_rules":[{"rule_name":"Use Get-NetTCPConnection - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml"}],"splunk_rules":[{"rule_name":"GetNetTcpconnection with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml"}]},{"tech_id":"T1049","test_number":7,"atomic_attack_guid":"96f974bb-a0da-4d87-a744-ff33e73367e9","atomic_attack_name":"System Discovery using SharpView","platform":"windows","sigma_rules":[{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"}],"splunk_rules":[{"rule_name":"GetNetTcpconnection with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml"}]},{"tech_id":"T1053.005","test_number":4,"atomic_attack_guid":"af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd","atomic_attack_name":"Powershell Cmdlet Scheduled Task","platform":"windows","sigma_rules":[{"rule_name":"Powershell Create Scheduled Task","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","test_number":5,"atomic_attack_guid":"ecd3fa21-7792-41a2-8726-2c5c673414d3","atomic_attack_name":"Task Scheduler via VBA","platform":"windows","sigma_rules":[],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","test_number":6,"atomic_attack_guid":"e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b","atomic_attack_name":"WMI Invoke-CimMethod Scheduled Task","platform":"windows","sigma_rules":[{"rule_name":"Powershell Create Scheduled Task","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","test_number":8,"atomic_attack_guid":"cd925593-fbb4-486d-8def-16cbdf944bf4","atomic_attack_name":"Import XML Schedule Task with Hidden Attribute","platform":"windows","sigma_rules":[{"rule_name":"Powershell Create Scheduled Task","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","test_number":9,"atomic_attack_guid":"dda6fc7b-c9a6-4c18-b98d-95ec6542af6d","atomic_attack_name":"PowerShell Modify A Scheduled Task","platform":"windows","sigma_rules":[{"rule_name":"Powershell Create Scheduled Task","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","test_number":11,"atomic_attack_guid":"8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2","atomic_attack_name":"Scheduled Task Persistence via CompMgmt.msc","platform":"windows","sigma_rules":[],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1053.005","test_number":12,"atomic_attack_guid":"02124c37-767e-4b76-9383-c9fc366d9d4c","atomic_attack_name":"Scheduled Task Persistence via Eventviewer.msc","platform":"windows","sigma_rules":[],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"}]},{"tech_id":"T1055.001","test_number":1,"atomic_attack_guid":"74496461-11a1-4982-b439-4d87a550d254","atomic_attack_name":"Process Injection via mavinject.exe","platform":"windows","sigma_rules":[{"rule_name":"Renamed Mavinject.EXE Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml"},{"rule_name":"Mavinject Inject DLL Into Running Process","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"}],"splunk_rules":[]},{"tech_id":"T1055.002","test_number":1,"atomic_attack_guid":"578025d5-faa9-4f6d-8390-aae739d503e1","atomic_attack_name":"Portable Executable Injection","platform":"windows","sigma_rules":[],"splunk_rules":[{"rule_name":"Windows Process Injection Remote Thread","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_process_injection_remote_thread.yml"}]},{"tech_id":"T1057","test_number":3,"atomic_attack_guid":"3b3809b6-a54b-4f5b-8aff-cb51f2e97b34","atomic_attack_name":"Process Discovery - Get-Process","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Process Discovery With Get-Process","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml"}],"splunk_rules":[]},{"tech_id":"T1059.001","test_number":2,"atomic_attack_guid":"a21bb23e-e677-4ee7-af90-6931b57b6350","atomic_attack_name":"Run BloodHound from local disk","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - Bloodhound/Sharphound Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":3,"atomic_attack_guid":"bf8c1441-4674-4dab-8e4e-39d93d08f9b7","atomic_attack_name":"Run Bloodhound from Memory using Download Cradle","platform":"windows","sigma_rules":[{"rule_name":"Suspicious PowerShell Invocations - Specific","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml"},{"rule_name":"Suspicious PowerShell Invocations - Specific - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Suspicious PowerShell Download and Execute Pattern","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"},{"rule_name":"PowerShell Download Pattern","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"},{"rule_name":"HackTool - Bloodhound/Sharphound Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Fileless Script Contains Base64 Encoded Content","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Windows PowerShell Script Block With Malicious String","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":7,"atomic_attack_guid":"4396927f-e503-427b-b023-31049b9b09a6","atomic_attack_name":"Powershell XML requests","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":9,"atomic_attack_guid":"cc50fa2a-a4be-42af-a88f-e347ba0bf4d7","atomic_attack_name":"Powershell Invoke-DownloadCradle","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":10,"atomic_attack_guid":"fa050f5e-bc75-4230-af73-b6fd7852cd73","atomic_attack_name":"PowerShell Fileless Script Execution","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"},{"rule_name":"Base64 Encoded PowerShell Command Detected","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":11,"atomic_attack_guid":"8e5c5532-1181-4c1d-bb79-b3a9f5dbd680","atomic_attack_name":"NTFS Alternate Data Stream Access","platform":"windows","sigma_rules":[{"rule_name":"NTFS Alternate Data Stream","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":12,"atomic_attack_guid":"7c1acec2-78fa-4305-a3e0-db2a54cddecd","atomic_attack_name":"PowerShell Session Creation and Use","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Remote Session Creation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.001","test_number":19,"atomic_attack_guid":"1289f78d-22d2-4590-ac76-166737e1811b","atomic_attack_name":"PowerUp Invoke-AllChecks","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml"},{"rule_name":"Malicious PowerShell Scripts - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"},{"rule_name":"Usage Of Web Request Commands And Cmdlets","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"}],"splunk_rules":[]},{"tech_id":"T1059.001","test_number":20,"atomic_attack_guid":"999bff6d-dc15-44c9-9f5c-e1051bfc86e1","atomic_attack_name":"Abuse Nslookup with DNS Records","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Non Interactive PowerShell Process Spawned","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml"},{"rule_name":"Windows Shell/Scripting Processes Spawning Suspicious Programs","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml"}],"splunk_rules":[{"rule_name":"Windows PowerShell ScheduleTask","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_powershell_scheduletask.yml"},{"rule_name":"PowerShell 4104 Hunting","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_4104_hunting.yml"},{"rule_name":"Powershell Creating Thread Mutex","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_creating_thread_mutex.yml"},{"rule_name":"PowerShell Loading DotNET into Memory via Reflection","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"},{"rule_name":"Powershell Using memory As Backing Store","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_using_memory_as_backing_store.yml"},{"rule_name":"Powershell Processing Stream Of Data","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_processing_stream_of_data.yml"},{"rule_name":"PowerShell WebRequest Using Memory Stream","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_webrequest_using_memory_stream.yml"}]},{"tech_id":"T1059.003","test_number":1,"atomic_attack_guid":"9e8894c0-50bd-4525-a96c-d4ac78ece388","atomic_attack_name":"Create and Execute Batch Script","platform":"windows","sigma_rules":[{"rule_name":"Powershell Execute Batch Script","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml"}],"splunk_rules":[]},{"tech_id":"T1069.001","test_number":3,"atomic_attack_guid":"a580462d-2c19-4bc7-8b9a-57a41b7d3ba4","atomic_attack_name":"Permission Groups Discovery PowerShell (Local)","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Get Local Groups Information - PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml"},{"rule_name":"Suspicious Get Local Groups Information","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml"}],"splunk_rules":[{"rule_name":"Powershell Get LocalGroup Discovery with Script Block Logging","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml"}]},{"tech_id":"T1069.002","test_number":1,"atomic_attack_guid":"dd66d77d-8998-48c0-8024-df263dc2ce5d","atomic_attack_name":"Basic Permission Groups Discovery Windows (Domain)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1069.002","test_number":3,"atomic_attack_guid":"0afb5163-8181-432e-9405-4322710c0c37","atomic_attack_name":"Elevated group enumeration using net group (Domain)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1069.002","test_number":4,"atomic_attack_guid":"a2d71eee-a353-4232-9f86-54f4288dd8c1","atomic_attack_name":"Find machines where user has local admin access (PowerView)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"GetDomainGroup with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml"},{"rule_name":"Elevated Group Discovery with PowerView","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml"}]},{"tech_id":"T1069.002","test_number":5,"atomic_attack_guid":"a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd","atomic_attack_name":"Find local admins on all machines in domain (PowerView)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"GetDomainGroup with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml"},{"rule_name":"Elevated Group Discovery with PowerView","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml"}]},{"tech_id":"T1069.002","test_number":6,"atomic_attack_guid":"64fdb43b-5259-467a-b000-1b02c00e510a","atomic_attack_name":"Find Local Admins via Group Policy (PowerView)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"GetDomainGroup with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml"},{"rule_name":"Elevated Group Discovery with PowerView","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml"}]},{"tech_id":"T1069.002","test_number":7,"atomic_attack_guid":"870ba71e-6858-4f6d-895c-bb6237f6121b","atomic_attack_name":"Enumerate Users Not Requiring Pre Auth (ASRepRoast)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1069.002","test_number":12,"atomic_attack_guid":"46352f40-f283-4fe5-b56d-d9a71750e145","atomic_attack_name":"Get-DomainGroupMember with PowerView","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"GetDomainGroup with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml"},{"rule_name":"Elevated Group Discovery with PowerView","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml"}]},{"tech_id":"T1069.002","test_number":13,"atomic_attack_guid":"5a8a181c-2c8e-478d-a943-549305a01230","atomic_attack_name":"Get-DomainGroup with PowerView","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"GetDomainGroup with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getdomaingroup_with_powershell_script_block.yml"},{"rule_name":"Elevated Group Discovery with PowerView","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/elevated_group_discovery_with_powerview.yml"}]},{"tech_id":"T1069.002","test_number":14,"atomic_attack_guid":"22cf8cb9-adb1-4e8c-80ca-7c723dfc8784","atomic_attack_name":"Active Directory Enumeration with LDIFDE","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1070","test_number":2,"atomic_attack_guid":"96e86706-6afd-45b6-95d6-108d23eaf2e9","atomic_attack_name":"Indicator Manipulation using FSUtil","platform":"windows","sigma_rules":[{"rule_name":"Fsutil Suspicious Invocation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"}],"splunk_rules":[]},{"tech_id":"T1070.001","test_number":2,"atomic_attack_guid":"b13e9306-3351-4b4b-a6e8-477358b0b498","atomic_attack_name":"Delete System Logs Using Clear-EventLog","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Eventlog Clearing or Configuration Change Activity","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"}],"splunk_rules":[]},{"tech_id":"T1070.003","test_number":11,"atomic_attack_guid":"2f898b81-3e97-4abb-bc3f-a95138988370","atomic_attack_name":"Prevent Powershell History Logging","platform":"windows","sigma_rules":[{"rule_name":"Linux Command History Tampering","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"},{"rule_name":"Clear PowerShell History - PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml"},{"rule_name":"Clear PowerShell History - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml"}],"splunk_rules":[]},{"tech_id":"T1070.003","test_number":12,"atomic_attack_guid":"da75ae8d-26d6-4483-b0fe-700e4df4f037","atomic_attack_name":"Clear Powershell History by Deleting History File","platform":"windows","sigma_rules":[{"rule_name":"Linux Command History Tampering","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"},{"rule_name":"Clearing Windows Console History","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml"},{"rule_name":"Clear PowerShell History - PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml"},{"rule_name":"Clear PowerShell History - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml"}],"splunk_rules":[]},{"tech_id":"T1070.003","test_number":13,"atomic_attack_guid":"1d0d9aa6-6111-4f89-927b-53e8afae7f94","atomic_attack_name":"Set Custom AddToHistoryHandler to Avoid History File Logging","platform":"windows","sigma_rules":[{"rule_name":"Linux Command History Tampering","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"},{"rule_name":"Clear PowerShell History - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml"}],"splunk_rules":[]},{"tech_id":"T1070.003","test_number":14,"atomic_attack_guid":"22c779cd-9445-4d3e-a136-f75adbf0315f","atomic_attack_name":"Clear PowerShell Session History","platform":"windows","sigma_rules":[{"rule_name":"Linux Command History Tampering","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"},{"rule_name":"Clearing Windows Console History","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml"},{"rule_name":"Clear PowerShell History - PowerShell Module","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","test_number":6,"atomic_attack_guid":"9dee89bd-9a98-4c4f-9e2d-4256690b0e72","atomic_attack_name":"Delete a single file - Windows PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","test_number":7,"atomic_attack_guid":"edd779e4-a509-4cba-8dfa-a112543dbfb1","atomic_attack_name":"Delete an entire folder - Windows PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.004","test_number":10,"atomic_attack_guid":"69f50a5f-967c-4327-a5bb-e1a9a9983785","atomic_attack_name":"Delete TeamViewer Log Files","platform":"windows","sigma_rules":[{"rule_name":"Cisco File Deletion","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.005","test_number":3,"atomic_attack_guid":"0512d214-9512-4d22-bde7-f37e058259b3","atomic_attack_name":"Remove Network Share PowerShell","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Deleted Mounted Share","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1070.005","test_number":5,"atomic_attack_guid":"4299eff5-90f1-4446-b2f3-7f4f5cfd5d62","atomic_attack_name":"Remove Administrative Shares","platform":"windows","sigma_rules":[{"rule_name":"Unmount Share Via Net.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml"}],"splunk_rules":[]},{"tech_id":"T1070.006","test_number":5,"atomic_attack_guid":"b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c","atomic_attack_name":"Windows - Modify file creation timestamp with PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Powershell Timestomp","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml"}],"splunk_rules":[]},{"tech_id":"T1070.006","test_number":6,"atomic_attack_guid":"f8f6634d-93e1-4238-8510-f8a90a20dcf2","atomic_attack_name":"Windows - Modify file last modified timestamp with PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Powershell Timestomp","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml"}],"splunk_rules":[]},{"tech_id":"T1070.006","test_number":7,"atomic_attack_guid":"da627f63-b9bd-4431-b6f8-c5b44d061a62","atomic_attack_name":"Windows - Modify file last access timestamp with PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Powershell Timestomp","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml"}],"splunk_rules":[]},{"tech_id":"T1071.001","test_number":1,"atomic_attack_guid":"81c13829-f6c9-45b8-85a6-053366d55297","atomic_attack_name":"Malicious User Agents - Powershell","platform":"windows","sigma_rules":[{"rule_name":"Change User Agents with WebRequest","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":14,"atomic_attack_guid":"eea1d918-825e-47dd-acc2-814d6c58c0e1","atomic_attack_name":"WinPwn - winPEAS","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":15,"atomic_attack_guid":"3d256a2f-5e57-4003-8eb6-64d91b1da7ce","atomic_attack_name":"WinPwn - itm4nprivesc","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":16,"atomic_attack_guid":"345cb8e4-d2de-4011-a580-619cf5a9e2d7","atomic_attack_name":"WinPwn - Powersploits privesc checks","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":17,"atomic_attack_guid":"5b6f39a2-6ec7-4783-a5fd-2c54a55409ed","atomic_attack_name":"WinPwn - General privesc checks","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":18,"atomic_attack_guid":"7804659b-fdbf-4cf6-b06a-c03e758590e8","atomic_attack_name":"WinPwn - GeneralRecon","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"},{"rule_name":"Suspicious Execution of Systeminfo","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":19,"atomic_attack_guid":"3278b2f6-f733-4875-9ef4-bfed34244f0a","atomic_attack_name":"WinPwn - Morerecon","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":20,"atomic_attack_guid":"dec6a0d8-bcaf-4c22-9d48-2aee59fb692b","atomic_attack_name":"WinPwn - RBCD-Check","platform":"windows","sigma_rules":[{"rule_name":"HackTool - WinPwn Execution - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"},{"rule_name":"HackTool - WinPwn Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"}],"splunk_rules":[]},{"tech_id":"T1082","test_number":27,"atomic_attack_guid":"8851b73a-3624-4bf7-8704-aa312411565c","atomic_attack_name":"System Information Discovery with WMIC","platform":"windows","sigma_rules":[{"rule_name":"Uncommon System Information Discovery Via Wmic.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml"}],"splunk_rules":[]},{"tech_id":"T1083","test_number":2,"atomic_attack_guid":"2158908e-b7ef-4c21-8a83-3ce4dd05a924","atomic_attack_name":"File and Directory Discovery (PowerShell)","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1083","test_number":5,"atomic_attack_guid":"c6c34f61-1c3e-40fb-8a58-d017d88286d8","atomic_attack_name":"Simulating MAZE Directory Enumeration","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"},{"rule_name":"Powershell Directory Enumeration","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml"}],"splunk_rules":[]},{"tech_id":"T1083","test_number":6,"atomic_attack_guid":"c5bec457-43c9-4a18-9a24-fe151d8971b7","atomic_attack_name":"Launch DirLister Executable","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1083","test_number":9,"atomic_attack_guid":"95a21323-770d-434c-80cd-6f6fbf7af432","atomic_attack_name":"Recursive Enumerate Files And Directories By Powershell","platform":"windows","sigma_rules":[{"rule_name":"Cisco Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1087.001","test_number":8,"atomic_attack_guid":"80887bec-5a9b-4efc-a81d-f83eb2eb32ab","atomic_attack_name":"Enumerate all accounts on Windows (Local)","platform":"windows","sigma_rules":[{"rule_name":"Cisco Collect Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[]},{"tech_id":"T1087.001","test_number":9,"atomic_attack_guid":"ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b","atomic_attack_name":"Enumerate all accounts via PowerShell (Local)","platform":"windows","sigma_rules":[{"rule_name":"Cisco Collect Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml"},{"rule_name":"Local Accounts Discovery","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"}],"splunk_rules":[{"rule_name":"GetLocalUser with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/getlocaluser_with_powershell_script_block.yml"}]},{"tech_id":"T1087.002","test_number":2,"atomic_attack_guid":"8b8a6449-be98-4f42-afd2-dedddc7453b2","atomic_attack_name":"Enumerate all accounts via PowerShell (Domain)","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","test_number":10,"atomic_attack_guid":"46f8dbe9-22a5-4770-8513-66119c5be63b","atomic_attack_name":"Enumerate Active Directory for Unconstrained Delegation","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","test_number":11,"atomic_attack_guid":"93662494-5ed7-4454-a04c-8c8372808ac2","atomic_attack_name":"Get-DomainUser with PowerView","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Windows Forest Discovery with GetForestDomain","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml"},{"rule_name":"Get DomainUser with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domainuser_with_powershell_script_block.yml"}]},{"tech_id":"T1087.002","test_number":14,"atomic_attack_guid":"00c652e2-0750-4ca6-82ff-0204684a6fe4","atomic_attack_name":"Enumerate Root Domain linked policies Discovery","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[{"rule_name":"Windows Root Domain linked policies Discovery","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_root_domain_linked_policies_discovery.yml"}]},{"tech_id":"T1087.002","test_number":15,"atomic_attack_guid":"ce483c35-c74b-45a7-a670-631d1e69db3d","atomic_attack_name":"WinPwn - generaldomaininfo","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","test_number":16,"atomic_attack_guid":"f450461c-18d1-4452-9f0d-2c42c3f08624","atomic_attack_name":"Kerbrute - userenum","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","test_number":17,"atomic_attack_guid":"b8a563d4-a836-4993-a74e-0a19b8481bfe","atomic_attack_name":"Wevtutil - Discover NTLM Users Remote","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","test_number":21,"atomic_attack_guid":"abf00f6c-9983-4d9a-afbc-6b1c6c6448e1","atomic_attack_name":"Suspicious LAPS Attributes Query with adfind all properties","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1087.002","test_number":22,"atomic_attack_guid":"51a98f96-0269-4e09-a10f-e307779a8b05","atomic_attack_name":"Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":1,"atomic_attack_guid":"5598f7cb-cf43-455e-883a-f6008c5d46af","atomic_attack_name":"Admin Account Manipulate","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"},{"rule_name":"Powershell LocalAccount Manipulation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":2,"atomic_attack_guid":"a55a22e9-a3d3-42ce-bd48-2653adb8f7a9","atomic_attack_name":"Domain Account and Group Manipulate","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":9,"atomic_attack_guid":"d5b886d9-d1c7-4b6e-a7b0-460041bf2823","atomic_attack_name":"Password Change on Directory Service Restore Mode (DSRM) Account","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":10,"atomic_attack_guid":"fc5f9414-bd67-4f5f-a08e-e5381e29cbd1","atomic_attack_name":"Domain Password Policy Check: Short Password","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":11,"atomic_attack_guid":"68190529-069b-4ffc-a942-919704158065","atomic_attack_name":"Domain Password Policy Check: No Number in Password","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":12,"atomic_attack_guid":"7d984ef2-2db2-4cec-b090-e637e1698f61","atomic_attack_name":"Domain Password Policy Check: No Special Character in Password","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":13,"atomic_attack_guid":"b299c120-44a7-4d68-b8e2-8ba5a28511ec","atomic_attack_name":"Domain Password Policy Check: No Uppercase Character in Password","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":14,"atomic_attack_guid":"945da11e-977e-4dab-85d2-f394d03c5887","atomic_attack_name":"Domain Password Policy Check: No Lowercase Character in Password","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":15,"atomic_attack_guid":"784d1349-5a26-4d20-af5e-d6af53bae460","atomic_attack_name":"Domain Password Policy Check: Only Two Character Classes","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1098","test_number":16,"atomic_attack_guid":"81959d03-c51f-49a1-bb24-23f1ec885578","atomic_attack_name":"Domain Password Policy Check: Common Password Use","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":8,"atomic_attack_guid":"ffd492e3-0455-4518-9fb1-46527c9f241b","atomic_attack_name":"certutil download (verifyctl)","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"},{"rule_name":"Suspicious Download Via Certutil.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"},{"rule_name":"Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":18,"atomic_attack_guid":"2b080b99-0deb-4d51-af0f-833d37c4ca6a","atomic_attack_name":"Curl Download File","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":19,"atomic_attack_guid":"635c9a38-6cbf-47dc-8615-3810bc1167cf","atomic_attack_name":"Curl Upload File","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":20,"atomic_attack_guid":"d239772b-88e2-4a2e-8473-897503401bcc","atomic_attack_name":"Download a file with Microsoft Connection Manager Auto-Download","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":21,"atomic_attack_guid":"70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf","atomic_attack_name":"MAZE Propagation Script","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":32,"atomic_attack_guid":"6934c16e-0b3a-4e7f-ab8c-c414acd32181","atomic_attack_name":"File Download with Sqlcmd.exe","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":33,"atomic_attack_guid":"c82b1e60-c549-406f-9b00-0a8ae31c9cfe","atomic_attack_name":"Remote File Copy using PSCP","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":34,"atomic_attack_guid":"2a4b0d29-e5dd-4b66-b729-07423ba1cd9d","atomic_attack_name":"Windows push file using scp.exe","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":35,"atomic_attack_guid":"401667dc-05a6-4da0-a2a7-acfe4819559c","atomic_attack_name":"Windows pull file using scp.exe","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":36,"atomic_attack_guid":"205e676e-0401-4bae-83a5-94b8c5daeb22","atomic_attack_name":"Windows push file using sftp.exe","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":37,"atomic_attack_guid":"3d25f1f2-55cb-4a41-a523-d17ad4cfba19","atomic_attack_name":"Windows pull file using sftp.exe","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1105","test_number":38,"atomic_attack_guid":"3dd6a6cf-9c78-462c-bd75-e9b54fc8925b","atomic_attack_name":"Download a file with OneDrive Standalone Updater","platform":"windows","sigma_rules":[{"rule_name":"Cisco Stage Data","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml"},{"rule_name":"Remote File Copy","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/builtin/lnx_file_copy.yml"}],"splunk_rules":[]},{"tech_id":"T1110.001","test_number":2,"atomic_attack_guid":"c2969434-672b-4ec8-8df0-bbb91f40e250","atomic_attack_name":"Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Connection to Remote Account","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml"}],"splunk_rules":[]},{"tech_id":"T1112","test_number":45,"atomic_attack_guid":"fe7974e5-5813-477b-a7bd-311d4f535e83","atomic_attack_name":"Enabling Restricted Admin Mode via Command_Prompt","platform":"windows","sigma_rules":[{"rule_name":"RestrictedAdminMode Registry Value Tampering","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml"},{"rule_name":"RestrictedAdminMode Registry Value Tampering - ProcCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml"}],"splunk_rules":[]},{"tech_id":"T1112","test_number":67,"atomic_attack_guid":"eb0ba433-63e5-4a8c-a9f0-27c4192e1336","atomic_attack_name":"Enable Proxy Settings","platform":"windows","sigma_rules":[{"rule_name":"Modification of IE Registry Settings","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml"}],"splunk_rules":[]},{"tech_id":"T1112","test_number":68,"atomic_attack_guid":"d88a3d3b-d016-4939-a745-03638aafd21b","atomic_attack_name":"Set-Up Proxy Server","platform":"windows","sigma_rules":[{"rule_name":"Modification of IE Registry Settings","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml"}],"splunk_rules":[]},{"tech_id":"T1112","test_number":86,"atomic_attack_guid":"c691cee2-8d17-4395-b22f-00644c7f1c2d","atomic_attack_name":"Modify RDP-Tcp Initial Program Registry Entry","platform":"windows","sigma_rules":[{"rule_name":"RDP Sensitive Settings Changed","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml"},{"rule_name":"Potential Tampering With RDP Related Registry Keys Via Reg.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"}],"splunk_rules":[]},{"tech_id":"T1113","test_number":8,"atomic_attack_guid":"e9313014-985a-48ef-80d9-cde604ffc187","atomic_attack_name":"Windows Screen Capture (CopyFromScreen)","platform":"windows","sigma_rules":[{"rule_name":"Windows Screen Capture with CopyFromScreen","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml"}],"splunk_rules":[{"rule_name":"Windows Screen Capture Via Powershell","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_screen_capture_via_powershell.yml"}]},{"tech_id":"T1115","test_number":2,"atomic_attack_guid":"d6dc21af-bec9-4152-be86-326b6babd416","atomic_attack_name":"Execute Commands from Clipboard using PowerShell","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Get Clipboard","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml"},{"rule_name":"PowerShell Get-Clipboard Cmdlet Via CLI","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml"},{"rule_name":"Data Copied To Clipboard Via Clip.EXE","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml"}],"splunk_rules":[{"rule_name":"Windows ClipBoard Data via Get-ClipBoard","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml"}]},{"tech_id":"T1115","test_number":4,"atomic_attack_guid":"9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52","atomic_attack_name":"Collect Clipboard Data via VBA","platform":"windows","sigma_rules":[{"rule_name":"PowerShell Get Clipboard","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml"}],"splunk_rules":[]},{"tech_id":"T1119","test_number":2,"atomic_attack_guid":"634bd9b9-dc83-4229-b19f-7f83ba9ad313","atomic_attack_name":"Automated Collection PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Automated Collection Command PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml"}],"splunk_rules":[]},{"tech_id":"T1119","test_number":3,"atomic_attack_guid":"c3f6d794-50dd-482f-b640-0384fbb7db26","atomic_attack_name":"Recon information for export with PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Recon Information for Export with PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml"}],"splunk_rules":[]},{"tech_id":"T1120","test_number":1,"atomic_attack_guid":"2cb4dbf2-2dca-4597-8678-4d39d207a3a5","atomic_attack_name":"Win32_PnPEntity Hardware Inventory","platform":"windows","sigma_rules":[{"rule_name":"Powershell Suspicious Win32_PnPEntity","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml"}],"splunk_rules":[]},{"tech_id":"T1123","test_number":2,"atomic_attack_guid":"7a21cce2-6ada-4f7c-afd9-e1e9c481e44a","atomic_attack_name":"Registry artefact when application use microphone","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Camera and Microphone Access","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml"}],"splunk_rules":[]},{"tech_id":"T1125","test_number":1,"atomic_attack_guid":"6581e4a7-42e3-43c5-a0d2-5a0d62f9702a","atomic_attack_name":"Registry artefact when application use webcam","platform":"windows","sigma_rules":[{"rule_name":"Suspicious Camera and Microphone Access","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml"}],"splunk_rules":[]},{"tech_id":"T1134.004","test_number":1,"atomic_attack_guid":"069258f4-2162-46e9-9a25-c9c6c56150d2","atomic_attack_name":"Parent PID Spoofing using PowerShell","platform":"windows","sigma_rules":[{"rule_name":"HackTool - PPID Spoofing SelectMyParent Tool Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml"}],"splunk_rules":[]},{"tech_id":"T1135","test_number":7,"atomic_attack_guid":"b1636f0a-ba82-435c-b699-0d78794d8bfd","atomic_attack_name":"Share Discovery with PowerView","platform":"windows","sigma_rules":[{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"}],"splunk_rules":[]},{"tech_id":"T1136.001","test_number":5,"atomic_attack_guid":"bc8be0ac-475c-4fbf-9b1d-9fffd77afbde","atomic_attack_name":"Create a new user in PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Cisco Local Accounts","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml"},{"rule_name":"PowerShell Create Local User","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml"}],"splunk_rules":[]},{"tech_id":"T1136.002","test_number":3,"atomic_attack_guid":"5a3497a4-1568-4663-b12a-d4a5ed70c7d7","atomic_attack_name":"Create a new Domain Account using PowerShell","platform":"windows","sigma_rules":[{"rule_name":"Manipulation of User Computer or Group Security Principals Across AD","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml"}],"splunk_rules":[]},{"tech_id":"T1137.006","test_number":1,"atomic_attack_guid":"441b1a0f-a771-428a-8af0-e99e4698cda3","atomic_attack_name":"Code Executed Via Excel Add-in File (XLL)","platform":"windows","sigma_rules":[{"rule_name":"Code Executed Via Office Add-in XLL File","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml"}],"splunk_rules":[]},{"tech_id":"T1197","test_number":3,"atomic_attack_guid":"62a06ec5-5754-47d2-bcfc-123d8314c6ae","atomic_attack_name":"Persist, Download, & Execute","platform":"windows","sigma_rules":[{"rule_name":"Monitoring For Persistence Via BITS","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml"},{"rule_name":"File Download Via Bitsadmin","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"},{"rule_name":"File With Suspicious Extension Downloaded Via Bitsadmin","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml"},{"rule_name":"Suspicious Download From File-Sharing Website Via Bitsadmin","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"},{"rule_name":"File Download Via Bitsadmin To A Suspicious Target Folder","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"}],"splunk_rules":[]},{"tech_id":"T1201","test_number":9,"atomic_attack_guid":"3177f4da-3d4b-4592-8bdc-aa23d0b2e843","atomic_attack_name":"Get-DomainPolicy with PowerView","platform":"windows","sigma_rules":[],"splunk_rules":[{"rule_name":"Get DomainPolicy with Powershell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml"}]},{"tech_id":"T1217","test_number":5,"atomic_attack_guid":"faab755e-4299-48ec-8202-fc7885eb6545","atomic_attack_name":"List Google Chrome / Opera Bookmarks on Windows with powershell","platform":"windows","sigma_rules":[{"rule_name":"Automated Collection Bookmarks Using Get-ChildItem PowerShell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml"}],"splunk_rules":[]},{"tech_id":"T1218","test_number":4,"atomic_attack_guid":"db020456-125b-4c8b-a4a7-487df8afb5a2","atomic_attack_name":"ProtocolHandler.exe Downloaded a Suspicious File","platform":"windows","sigma_rules":[{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","test_number":13,"atomic_attack_guid":"b1eeb683-90bb-4365-bbc2-2689015782fe","atomic_attack_name":"LOLBAS CustomShellHost to Spawn Process","platform":"windows","sigma_rules":[{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218","test_number":15,"atomic_attack_guid":"e5eedaed-ad42-4c1e-8783-19529738a349","atomic_attack_name":"LOLBAS Msedge to Spawn Process","platform":"windows","sigma_rules":[{"rule_name":"Potentially Suspicious Wuauclt Network Connection","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","test_number":5,"atomic_attack_guid":"882082f0-27c6-4eec-a43c-9aa80bccdb30","atomic_attack_name":"WMI Win32_Product Class - Execute Local MSI file with embedded JScript","platform":"windows","sigma_rules":[{"rule_name":"PowerShell WMI Win32_Product Install MSI","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","test_number":6,"atomic_attack_guid":"cf470d9a-58e7-43e5-b0d2-805dffc05576","atomic_attack_name":"WMI Win32_Product Class - Execute Local MSI file with embedded VBScript","platform":"windows","sigma_rules":[{"rule_name":"PowerShell WMI Win32_Product Install MSI","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","test_number":7,"atomic_attack_guid":"32eb3861-30da-4993-897a-42737152f5f8","atomic_attack_name":"WMI Win32_Product Class - Execute Local MSI file with an embedded DLL","platform":"windows","sigma_rules":[{"rule_name":"PowerShell WMI Win32_Product Install MSI","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml"}],"splunk_rules":[]},{"tech_id":"T1218.007","test_number":8,"atomic_attack_guid":"55080eb0-49ae-4f55-a440-4167b7974f79","atomic_attack_name":"WMI Win32_Product Class - Execute Local MSI file with an embedded EXE","platform":"windows","sigma_rules":[{"rule_name":"PowerShell WMI Win32_Product Install MSI","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml"}],"splunk_rules":[]},{"tech_id":"T1218.009","test_number":1,"atomic_attack_guid":"71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112","atomic_attack_name":"Regasm Uninstall Method Call Test","platform":"windows","sigma_rules":[{"rule_name":"Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218.009","test_number":2,"atomic_attack_guid":"fd3c1c6a-02d2-4b72-82d9-71c527abb126","atomic_attack_name":"Regsvcs Uninstall Method Call Test","platform":"windows","sigma_rules":[{"rule_name":"Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml"}],"splunk_rules":[]},{"tech_id":"T1218.010","test_number":3,"atomic_attack_guid":"08ffca73-9a3d-471a-aeb0-68b4aa3ab37b","atomic_attack_name":"Regsvr32 local DLL execution","platform":"windows","sigma_rules":[{"rule_name":"Regsvr32 Execution From Highly Suspicious Location","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml"}],"splunk_rules":[]},{"tech_id":"T1482","test_number":1,"atomic_attack_guid":"4700a710-c821-4e17-a3ec-9e4c81d6845f","atomic_attack_name":"Windows - Discover domain trusts with dsquery","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"}],"splunk_rules":[]},{"tech_id":"T1482","test_number":3,"atomic_attack_guid":"c58fbc62-8a62-489e-8f2d-3565d7d96f30","atomic_attack_name":"Powershell enumerate domains and forests","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[]},{"tech_id":"T1482","test_number":6,"atomic_attack_guid":"f974894c-5991-4b19-aaf5-7cc2fe298c5d","atomic_attack_name":"Get-DomainTrust with PowerView","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Get-DomainTrust with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domaintrust_with_powershell_script_block.yml"},{"rule_name":"Get-ForestTrust with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_foresttrust_with_powershell_script_block.yml"}]},{"tech_id":"T1482","test_number":7,"atomic_attack_guid":"58ed10e8-0738-4651-8408-3a3e9a526279","atomic_attack_name":"Get-ForestTrust with PowerView","platform":"windows","sigma_rules":[{"rule_name":"Malicious PowerShell Commandlets - ScriptBlock","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"},{"rule_name":"Malicious PowerShell Commandlets - PoshModule","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"},{"rule_name":"HackTool - SharpView Execution","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"},{"rule_name":"Malicious PowerShell Commandlets - ProcessCreation","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"}],"splunk_rules":[{"rule_name":"Get-DomainTrust with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_domaintrust_with_powershell_script_block.yml"},{"rule_name":"Get-ForestTrust with PowerShell Script Block","rule_link":"https://raw.githubusercontent.com/splunk/security_content/master/detections/endpoint/get_foresttrust_with_powershell_script_block.yml"}]},{"tech_id":"T1484.001","test_number":1,"atomic_attack_guid":"9ab80952-74ee-43da-a98c-1e740a985f28","atomic_attack_name":"LockBit Black - Modify Group policy settings -cmd","platform":"windows","sigma_rules":[{"rule_name":"Modify Group Policy Settings - ScriptBlockLogging","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml"},{"rule_name":"Modify Group Policy Settings","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml"}],"splunk_rules":[]},{"tech_id":"T1484.001","test_number":2,"atomic_attack_guid":"b51eae65-5441-4789-b8e8-64783c26c1d1","atomic_attack_name":"LockBit Black - Modify Group policy settings -Powershell","platform":"windows","sigma_rules":[{"rule_name":"Modify Group Policy Settings - ScriptBlockLogging","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml"}],"splunk_rules":[]},{"tech_id":"T1490","test_number":13,"atomic_attack_guid":"42111a6f-7e7f-482c-9b1b-3cfd090b999c","atomic_attack_name":"Windows - Delete Volume Shadow Copies via Diskshadow","platform":"windows","sigma_rules":[{"rule_name":"Shadow Copies Deletion Using Operating Systems Utilities","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"}],"splunk_rules":[]},{"tech_id":"T1491.001","test_number":1,"atomic_attack_guid":"30558d53-9d76-41c4-9267-a7bd5184bed3","atomic_attack_name":"Replace Desktop Wallpaper","platform":"windows","sigma_rules":[{"rule_name":"Replace Desktop Wallpaper by Powershell","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml"}],"splunk_rules":[]},{"tech_id":"T1497.001","test_number":3,"atomic_attack_guid":"502a7dc4-9d6f-4d28-abf2-f0e84692562d","atomic_attack_name":"Detect Virtualization Environment (Windows)","platform":"windows","sigma_rules":[{"rule_name":"Powershell Detect Virtualization Environment","rule_link":"https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml"}],"splunk_rules":[]}]