| DET0186 |
Automated File and API Collection Detection Across Platforms |
T1119 |
| DET0088 |
Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002) |
T1518.002 |
| DET0496 |
Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) |
T1219 |
| DET0556 |
Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) |
T1127.001 |
| DET0585 |
Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows) |
T1127.003 |
| DET0151 |
Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery |
T1124 |
| DET0197 |
Behavior-chain, platform-aware detection strategy for T1125 Video Capture |
T1125 |
| DET0172 |
Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows) |
T1127 |
| DET0018 |
Behavior-chain, platform-aware detection strategy for T1129 Shared Modules |
T1129 |
| DET0537 |
Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) |
T1195 |
| DET0590 |
Behavioral Detection of External Website Defacement across Platforms |
T1491.002 |
| DET0378 |
Behavioral Detection of Obfuscated Files or Information |
T1027 |
| DET0106 |
Behavioral Detection of PE Injection via Remote Memory Mapping |
T1055.002 |
| DET0231 |
Behavioral Detection of Systemd Timer Abuse for Scheduled Execution |
T1053.006 |
| DET0131 |
Behavioral Detection Strategy for Exfiltration Over Alternative Protocol |
T1048 |
| DET0221 |
Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS |
T1123 |
| DET0274 |
Boot or Logon Autostart Execution Detection Strategy |
T1547 |
| DET0309 |
Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) |
T1195.002 |
| DET0085 |
Credential Dumping from SAM via Registry Dump and Local File Access |
T1003.002 |
| DET0090 |
Cross-host C2 via Removable Media Relay |
T1092 |
| DET0094 |
Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse |
T1053 |
| DET0238 |
Defacement via File and Web Content Modification Across Platforms |
T1491 |
| DET0122 |
Detect Abuse of Windows Time Providers for Persistence |
T1547.003 |
| DET0381 |
Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL |
T1552.006 |
| DET0385 |
Detect Access and Parsing of .bash_history Files for Credential Harvesting |
T1552.003 |
| DET0412 |
Detect Access or Search for Unsecured Credentials Across Platforms |
T1552 |
| DET0307 |
Detect Access to Unsecured Credential Files Across Platforms |
T1552.001 |
| DET0275 |
Detect Adversary Deobfuscation or Decoding of Files and Payloads |
T1140 |
| DET0526 |
Detect Archiving and Encryption of Collected Data (T1560) |
T1560 |
| DET0438 |
Detect Archiving via Custom Method (T1560.003) |
T1560.003 |
| DET0268 |
Detect Archiving via Library (T1560.002) |
T1560.002 |
| DET0298 |
Detect Archiving via Utility (T1560.001) |
T1560.001 |
| DET0336 |
Detect Compromise of Host Software Binaries |
T1554 |
| DET0022 |
Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM |
T1187 |
| DET0060 |
Detect Ingress Tool Transfers via Behavioral Chain |
T1105 |
| DET0047 |
Detect Local Email Collection via Outlook Data File Access and Command Line Tooling |
T1114.001 |
| DET0561 |
Detect malicious IDE extension install/usage and IDE tunneling |
T1176.002 |
| DET0472 |
Detect Malicious Password Filter DLL Registration |
T1556.002 |
| DET0257 |
Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files |
T1553.005 |
| DET0429 |
Detect Modification of macOS Startup Items |
T1037.005 |
| DET0580 |
Detect Network Provider DLL Registration and Credential Capture |
T1556.008 |
| DET0398 |
Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks |
T1137 |
| DET0050 |
Detect Persistence via Malicious Office Add-ins |
T1137.006 |
| DET0519 |
Detect Persistence via Office Template Macro Injection or Registry Hijack |
T1137.001 |
| DET0315 |
Detect Persistence via Office Test Registry DLL Injection |
T1137.002 |
| DET0365 |
Detect Registry and Startup Folder Persistence (Windows) |
T1547.001 |
| DET0452 |
Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation |
T1553 |
| DET0549 |
Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms |
T1552.004 |
| DET0225 |
Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) |
T1547.008 |
| DET0069 |
Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) |
T1200 |
| DET0361 |
Detecting .NET COM Registration Abuse via Regsvcs/Regasm |
T1218.009 |
| DET0433 |
Detecting Code Injection via mavinject.exe (App-V Injector) |
T1218.013 |
| DET0025 |
Detecting Electron Application Abuse for Proxy Execution |
T1218.015 |
| DET0044 |
Detecting Malicious Browser Extensions Across Platforms |
T1176.001 |
| DET0222 |
Detecting MMC (.msc) Proxy Execution and Malicious COM Activation |
T1218.014 |
| DET0506 |
Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation |
T1218.005 |
| DET0235 |
Detecting Steganographic Command and Control via File + Network Correlation |
T1001.002 |
| DET0554 |
Detection of Bluetooth-Based Data Exfiltration |
T1011.001 |
| DET0363 |
Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence |
T1003.001 |
| DET0480 |
Detection of Credential Harvesting via Web Portal Modification |
T1056.003 |
| DET0146 |
Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns |
T1485 |
| DET0123 |
Detection of Data Exfiltration via Removable Media |
T1052 |
| DET0014 |
Detection of Data Staging Prior to Exfiltration |
T1074 |
| DET0782 |
Detection of Drive-by Compromise |
T0817 |
| DET0077 |
Detection of Exfiltration Over Alternate Network Interfaces |
T1011 |
| DET0305 |
Detection of Group Policy Modifications via AD Object Changes and File Activity |
T1484.001 |
| DET0377 |
Detection of Kernel/User-Level Rootkit Behavior Across Platforms |
T1014 |
| DET0745 |
Detection of Lateral Tool Transfer |
T0867 |
| DET0434 |
Detection of Launch Agent Creation or Modification on macOS |
T1543.001 |
| DET0013 |
Detection of Local Browser Artifact Access for Reconnaissance |
T1217 |
| DET0380 |
Detection of Local Data Collection Prior to Exfiltration |
T1005 |
| DET0261 |
Detection of Local Data Staging Prior to Exfiltration |
T1074.001 |
| DET0138 |
Detection of Malicious Code Execution via InstallUtil.exe |
T1218.004 |
| DET0194 |
Detection of Malicious Control Panel Item Execution via control.exe or Rundll32 |
T1218.002 |
| DET0092 |
Detection of Malicious or Unauthorized Software Extensions |
T1176 |
| DET0328 |
Detection of Malicious Profile Installation via CMSTP.exe |
T1218.003 |
| DET0439 |
Detection of Malware Relocation via Suspicious File Movement |
T1070.010 |
| DET0215 |
Detection of Multi-Platform File Encryption for Impact |
T1486 |
| DET0132 |
Detection of Mutex-Based Execution Guardrails Across Platforms |
T1480.002 |
| DET0586 |
Detection of NTDS.dit Credential Dumping from Domain Controllers |
T1003.003 |
| DET0071 |
Detection of Remote Data Staging Prior to Exfiltration |
T1074.002 |
| DET0733 |
Detection of Replication Through Removable Media |
T0847 |
| DET0466 |
Detection of Script-Based Proxy Execution via Signed Microsoft Utilities |
T1216 |
| DET0781 |
Detection of Spearphishing Attachment |
T0865 |
| DET0342 |
Detection of Suspicious Compiled HTML File Execution via hh.exe |
T1218.001 |
| DET0441 |
Detection of Suspicious Scheduled Task Creation and Execution on Windows |
T1053.005 |
| DET0253 |
Detection of Systemd Service Creation or Modification on Linux |
T1543.002 |
| DET0471 |
Detection of Tainted Content Written to Shared Storage |
T1080 |
| DET0220 |
Detection of USB-Based Data Exfiltration |
T1052.001 |
| DET0033 |
Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification |
T1546.008 |
| DET0017 |
Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows) |
T1546.011 |
| DET0332 |
Detection Strategy for AutoHotKey & AutoIT Abuse |
T1059.010 |
| DET0428 |
Detection Strategy for Bind Mounts on Linux |
T1564.013 |
| DET0237 |
Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts |
T1037.004 |
| DET0501 |
Detection Strategy for Compile After Delivery - Source Code to Executable Transformation |
T1027.004 |
| DET0281 |
Detection Strategy for Compressed Payload Creation and Execution |
T1027.015 |
| DET0349 |
Detection Strategy for Content Injection |
T1659 |
| DET0410 |
Detection Strategy for Data from Network Shared Drive |
T1039 |
| DET0059 |
Detection Strategy for Data Manipulation |
T1565 |
| DET0366 |
Detection Strategy for Double File Extension Masquerading |
T1036.007 |
| DET0355 |
Detection Strategy for Email Bombing |
T1667 |
| DET0214 |
Detection Strategy for Embedded Payloads |
T1027.009 |
| DET0219 |
Detection Strategy for Escape to Host |
T1611 |
| DET0555 |
Detection Strategy for Event Triggered Execution via emond on macOS |
T1546.014 |
| DET0548 |
Detection Strategy for Exfiltration Over Web Service |
T1567 |
| DET0150 |
Detection Strategy for File Creation or Modification of Boot Files |
T1542.003 |
| DET0051 |
Detection Strategy for File/Path Exclusions |
T1564.012 |
| DET0344 |
Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory |
T1027.011 |
| DET0171 |
Detection Strategy for Forged Web Cookies |
T1606.001 |
| DET0502 |
Detection Strategy for Hidden Artifacts Across Platforms |
T1564 |
| DET0032 |
Detection Strategy for Hidden Files and Directories |
T1564.001 |
| DET0321 |
Detection Strategy for Hidden Virtual Instance Execution |
T1564.006 |
| DET0218 |
Detection Strategy for Hijack Execution Flow across OS platforms. |
T1574 |
| DET0201 |
Detection Strategy for Hijack Execution Flow for DLLs |
T1574.001 |
| DET0064 |
Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path |
T1574.009 |
| DET0436 |
Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness. |
T1574.010 |
| DET0517 |
Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows. |
T1574.014 |
| DET0038 |
Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness |
T1574.005 |
| DET0004 |
Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable. |
T1574.007 |
| DET0564 |
Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking |
T1574.008 |
| DET0479 |
Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. |
T1574.012 |
| DET0152 |
Detection Strategy for Hijack Execution Flow: Dylib Hijacking |
T1574.004 |
| DET0435 |
Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking |
T1574.006 |
| DET0313 |
Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop |
T1027.006 |
| DET0189 |
Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification |
T1027.005 |
| DET0322 |
Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns |
T1027.016 |
| DET0450 |
Detection Strategy for Kernel Modules and Extensions Autostart Execution |
T1547.006 |
| DET0183 |
Detection Strategy for Lateral Tool Transfer across OS platforms |
T1570 |
| DET0401 |
Detection Strategy for Launch Daemon Creation or Modification (macOS) |
T1543.004 |
| DET0101 |
Detection Strategy for Lua Scripting Abuse |
T1059.011 |
| DET0226 |
Detection Strategy for Masquerading via File Type Modification |
T1036.008 |
| DET0347 |
Detection Strategy for Masquerading via Legitimate Resource Name or Location |
T1036.005 |
| DET0432 |
Detection Strategy for NTFS File Attribute Abuse (ADS/EAs) |
T1564.004 |
| DET0553 |
Detection Strategy for Obfuscated Files or Information: Binary Padding |
T1027.001 |
| DET0070 |
Detection Strategy for Phishing across platforms. |
T1566 |
| DET0324 |
Detection Strategy for Polymorphic Code Mutation and Execution |
T1027.014 |
| DET0451 |
Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification |
T1546.013 |
| DET0544 |
Detection Strategy for Process Doppelgänging on Windows |
T1055.013 |
| DET0391 |
Detection Strategy for Runtime Data Manipulation. |
T1565.003 |
| DET0236 |
Detection Strategy for Spearphishing Attachment across OS Platforms |
T1566.001 |
| DET0115 |
Detection Strategy for Spearphishing via a Service across OS Platforms |
T1566.003 |
| DET0193 |
Detection Strategy for Stored Data Manipulation across OS Platforms. |
T1565.001 |
| DET0019 |
Detection Strategy for Stripped Payloads Across Platforms |
T1027.008 |
| DET0510 |
Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior |
T1027.017 |
| DET0475 |
Detection Strategy for T1218.011 Rundll32 Abuse |
T1218.011 |
| DET0166 |
Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) |
T1505.002 |
| DET0068 |
Detection Strategy for T1505.004 - Malicious IIS Components |
T1505.004 |
| DET0212 |
Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows) |
T1505.005 |
| DET0278 |
Detection Strategy for T1542 Pre-OS Boot |
T1542 |
| DET0099 |
Detection Strategy for T1542.001 Pre-OS Boot: System Firmware |
T1542.001 |
| DET0330 |
Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages |
T1546.016 |
| DET0180 |
Detection Strategy for T1547.009 – Shortcut Modification (Windows) |
T1547.009 |
| DET0204 |
Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) |
T1547.010 |
| DET0012 |
Detection Strategy for VBA Stomping |
T1564.007 |
| DET0176 |
Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) |
T1189 |
| DET0287 |
Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps) |
T1203 |
| DET0118 |
Exploitation of Remote Services – multi-platform lateral movement detection |
T1210 |
| DET0133 |
IDE Tunneling Detection via Process, File, and Network Behaviors |
T1219.001 |
| DET0200 |
Indirect Command Execution – Windows utility abuse behavior chain |
T1202 |
| DET0082 |
Internal Website and System Content Defacement via UI or Messaging Modifications |
T1491.001 |
| DET0390 |
Linux Detection Strategy for T1547.013 - XDG Autostart Entries |
T1547.013 |
| DET0562 |
Multi-Platform Execution Guardrails Environmental Validation Detection Strategy |
T1480 |
| DET0299 |
Multi-Platform File and Directory Permissions Modification Detection Strategy |
T1222 |
| DET0105 |
Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools |
T1110.002 |
| DET0370 |
Recursive Enumeration of Files and Directories Across Privilege Contexts |
T1083 |
| DET0259 |
Remote Desktop Software Execution and Beaconing Detection |
T1219.002 |
| DET0301 |
Removable Media Execution Chain Detection via File and Process Activity |
T1091 |
| DET0005 |
Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path |
T1036.003 |
| DET0009 |
Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) |
T1195.001 |
| DET0242 |
Suspicious Database Access and Dump Activity Across Environments (T1213.006) |
T1213.006 |
| DET0340 |
User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 |
T1204.004 |
| DET0294 |
User Execution – Malicious File via download/open → spawn chain (T1204.002) |
T1204.002 |
| DET0066 |
User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity) |
T1204.001 |
| DET0478 |
User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) |
T1204 |
| DET0252 |
User-Initiated Malicious Library Installation via Package Manager (T1204.005) |
T1204.005 |
| DET0394 |
Web Shell Detection via Server Behavior and File Execution Chains |
T1505.003 |
| DET0418 |
Windows DACL Manipulation Behavioral Chain Detection Strategy |
T1222.001 |
| DET0026 |
Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence |
T1547.012 |