| DET0455 |
Abuse of PowerShell for Arbitrary Execution |
T1059.001 |
| DET0556 |
Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) |
T1127.001 |
| DET0191 |
Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows) |
T1127.002 |
| DET0151 |
Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery |
T1124 |
| DET0197 |
Behavior-chain, platform-aware detection strategy for T1125 Video Capture |
T1125 |
| DET0172 |
Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows) |
T1127 |
| DET0018 |
Behavior-chain, platform-aware detection strategy for T1129 Shared Modules |
T1129 |
| DET0537 |
Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) |
T1195 |
| DET0389 |
Behavioral Detection of DLL Injection via Windows API |
T1055.001 |
| DET0529 |
Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls |
T1106 |
| DET0508 |
Behavioral Detection of Process Injection Across Platforms |
T1055 |
| DET0076 |
Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript) |
T1059.005 |
| DET0202 |
Behavioral Detection of Windows Command Shell Execution |
T1059.003 |
| DET0309 |
Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) |
T1195.002 |
| DET0264 |
Cross-Platform Detection of JavaScript Execution Abuse |
T1059.007 |
| DET0224 |
Detect Abuse of Component Object Model (T1559.001) |
T1559.001 |
| DET0504 |
Detect Abuse of Dynamic Data Exchange (T1559.002) |
T1559.002 |
| DET0122 |
Detect Abuse of Windows Time Providers for Persistence |
T1547.003 |
| DET0526 |
Detect Archiving and Encryption of Collected Data (T1560) |
T1560 |
| DET0268 |
Detect Archiving via Library (T1560.002) |
T1560.002 |
| DET0298 |
Detect Archiving via Utility (T1560.001) |
T1560.001 |
| DET0507 |
Detect browser session hijacking via privilege, handle access, and remote thread into browsers |
T1185 |
| DET0336 |
Detect Compromise of Host Software Binaries |
T1554 |
| DET0271 |
Detect Domain Controller Authentication Process Modification (Skeleton Key) |
T1556.001 |
| DET0293 |
Detect Hybrid Identity Authentication Process Modification |
T1556.007 |
| DET0207 |
Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load |
T1547.002 |
| DET0472 |
Detect Malicious Password Filter DLL Registration |
T1556.002 |
| DET0104 |
Detect Modification of Authentication Processes Across Platforms |
T1556 |
| DET0580 |
Detect Network Provider DLL Registration and Credential Capture |
T1556.008 |
| DET0095 |
Detect Persistence via Malicious Outlook Rules |
T1137.005 |
| DET0315 |
Detect Persistence via Office Test Registry DLL Injection |
T1137.002 |
| DET0029 |
Detect Persistence via Outlook Custom Forms Triggered by Malicious Email |
T1137.003 |
| DET0177 |
Detect Persistence via Outlook Home Page Exploitation |
T1137.004 |
| DET0346 |
Detect Screen Capture via Commands and API Calls |
T1113 |
| DET0230 |
Detect Suspicious or Malicious Code Signing Abuse |
T1553.002 |
| DET0141 |
Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution |
T1497.003 |
| DET0225 |
Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) |
T1547.008 |
| DET0069 |
Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) |
T1200 |
| DET0404 |
Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows |
T1547.004 |
| DET0086 |
Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation |
T1546.003 |
| DET0205 |
Detect XSL Script Abuse via msxsl and wmic |
T1220 |
| DET0361 |
Detecting .NET COM Registration Abuse via Regsvcs/Regasm |
T1218.009 |
| DET0433 |
Detecting Code Injection via mavinject.exe (App-V Injector) |
T1218.013 |
| DET0025 |
Detecting Electron Application Abuse for Proxy Execution |
T1218.015 |
| DET0222 |
Detecting MMC (.msc) Proxy Execution and Malicious COM Activation |
T1218.014 |
| DET0486 |
Detecting Odbcconf Proxy Execution of Malicious DLLs |
T1218.008 |
| DET0440 |
Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse |
T1216.002 |
| DET0528 |
Detecting Remote Script Proxy Execution via PubPrn.vbs |
T1216.001 |
| DET0139 |
Detection of Credential Harvesting via API Hooking |
T1056.004 |
| DET0007 |
Detection of Domain Trust Discovery via API, Script, and CLI Enumeration |
T1482 |
| DET0772 |
Detection of Graphical User Interface |
T0823 |
| DET0377 |
Detection of Kernel/User-Level Rootkit Behavior Across Platforms |
T1014 |
| DET0437 |
Detection of LSA Secrets Dumping via Registry and Memory Extraction |
T1003.004 |
| DET0138 |
Detection of Malicious Code Execution via InstallUtil.exe |
T1218.004 |
| DET0194 |
Detection of Malicious Control Panel Item Execution via control.exe or Rundll32 |
T1218.002 |
| DET0158 |
Detection of Msiexec Abuse for Local, Network, and DLL Execution |
T1218.007 |
| DET0081 |
Detection of Proxy Execution via Trusted Signed Binaries Across Platforms |
T1218 |
| DET0804 |
Detection of Remote Services |
T0886 |
| DET0466 |
Detection of Script-Based Proxy Execution via Signed Microsoft Utilities |
T1216 |
| DET0735 |
Detection of Scripting |
T0853 |
| DET0342 |
Detection of Suspicious Compiled HTML File Execution via hh.exe |
T1218.001 |
| DET0362 |
Detection Strategy for AppCert DLLs Persistence via Registry Injection |
T1546.009 |
| DET0017 |
Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows) |
T1546.011 |
| DET0091 |
Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups |
T1027.007 |
| DET0273 |
Detection Strategy for Encrypted Channel across OS Platforms |
T1573 |
| DET0543 |
Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms |
T1573.002 |
| DET0143 |
Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms |
T1573.001 |
| DET0557 |
Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows) |
T1546.010 |
| DET0595 |
Detection Strategy for Exploitation for Defense Evasion |
T1211 |
| DET0514 |
Detection Strategy for Exploitation for Privilege Escalation |
T1068 |
| DET0218 |
Detection Strategy for Hijack Execution Flow across OS platforms. |
T1574 |
| DET0201 |
Detection Strategy for Hijack Execution Flow for DLLs |
T1574.001 |
| DET0517 |
Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows. |
T1574.014 |
| DET0038 |
Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness |
T1574.005 |
| DET0479 |
Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. |
T1574.012 |
| DET0152 |
Detection Strategy for Hijack Execution Flow: Dylib Hijacking |
T1574.004 |
| DET0435 |
Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking |
T1574.006 |
| DET0216 |
Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS |
T1546.006 |
| DET0347 |
Detection Strategy for Masquerading via Legitimate Resource Name or Location |
T1036.005 |
| DET0575 |
Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows) |
T1546.007 |
| DET0324 |
Detection Strategy for Polymorphic Code Mutation and Execution |
T1027.014 |
| DET0300 |
Detection Strategy for Reflective Code Loading |
T1620 |
| DET0181 |
Detection Strategy for SQL Stored Procedures Abuse via T1505.001 |
T1505.001 |
| DET0442 |
Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking. |
T1553.003 |
| DET0282 |
Detection Strategy for System Binary Proxy Execution: Regsvr32 |
T1218.010 |
| DET0475 |
Detection Strategy for T1218.011 Rundll32 Abuse |
T1218.011 |
| DET0042 |
Detection Strategy for T1218.012 Verclsid Abuse |
T1218.012 |
| DET0046 |
Detection Strategy for T1497 Virtualization/Sandbox Evasion |
T1497 |
| DET0166 |
Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) |
T1505.002 |
| DET0068 |
Detection Strategy for T1505.004 - Malicious IIS Components |
T1505.004 |
| DET0212 |
Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows) |
T1505.005 |
| DET0204 |
Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) |
T1547.010 |
| DET0388 |
Detection Strategy for T1548.002 – Bypass User Account Control (UAC) |
T1548.002 |
| DET0352 |
Detection Strategy for T1550.003 - Pass the Ticket (Windows) |
T1550.003 |
| DET0467 |
Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing |
T1055.005 |
| DET0448 |
Detection Strategy for VDSO Hijacking on Linux |
T1055.014 |
| DET0339 |
Detection Strategy for Weaken Encryption on Network Devices |
T1600 |
| DET0087 |
Encrypted or Encoded File Payload Detection Strategy |
T1027.013 |
| DET0474 |
Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy |
T1480.001 |
| DET0080 |
Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress) |
T1190 |
| DET0118 |
Exploitation of Remote Services – multi-platform lateral movement detection |
T1210 |
| DET0368 |
Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks |
T1195.003 |
| DET0285 |
Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution |
T1021.003 |
| DET0372 |
Multi-Platform Detection Strategy for T1678 - Delay Execution |
T1678 |
| DET0562 |
Multi-Platform Execution Guardrails Environmental Validation Detection Strategy |
T1480 |
| DET0542 |
Registry and LSASS Monitoring for Security Support Provider Abuse |
T1547.005 |
| DET0016 |
Security Software Discovery Across Platforms |
T1518.001 |
| DET0162 |
Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) |
T1205.002 |
| DET0009 |
Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) |
T1195.001 |
| DET0168 |
Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS |
T1497.001 |
| DET0481 |
Windows COM Hijacking Detection via Registry and DLL Load Correlation |
T1546.015 |
| DET0026 |
Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence |
T1547.012 |