| DET0088 |
Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002) |
T1518.002 |
| DET0280 |
Behavior-Based Registry Modification Detection on Windows |
T1112 |
| DET0496 |
Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) |
T1219 |
| DET0329 |
Behavioral Detection for T1490 - Inhibit System Recovery |
T1490 |
| DET0010 |
Behavioral Detection of Event Triggered Execution Across Platforms |
T1546 |
| DET0184 |
Behavioral Detection of Indicator Removal Across Platforms |
T1070 |
| DET0089 |
Behavioral Detection of Keylogging Activity Across Platforms |
T1056.001 |
| DET0049 |
Behavioral Detection of Network History and Configuration Tampering |
T1070.007 |
| DET0274 |
Boot or Logon Autostart Execution Detection Strategy |
T1547 |
| DET0112 |
Boot or Logon Initialization Scripts Detection Strategy |
T1037 |
| DET0309 |
Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) |
T1195.002 |
| DET0085 |
Credential Dumping from SAM via Registry Dump and Local File Access |
T1003.002 |
| DET0122 |
Detect Abuse of Windows Time Providers for Persistence |
T1547.003 |
| DET0412 |
Detect Access or Search for Unsecured Credentials Across Platforms |
T1552 |
| DET0312 |
Detect Active Setup Persistence via StubPath Execution |
T1547.014 |
| DET0296 |
Detect Adversary-in-the-Middle via Network and Configuration Anomalies |
T1557 |
| DET0523 |
Detect Code Signing Policy Modification (Windows & macOS) |
T1553.006 |
| DET0250 |
Detect Credential Discovery via Windows Registry Enumeration |
T1552.002 |
| DET0061 |
Detect Default File Association Hijack via Registry & Execution Correlation on Windows |
T1546.001 |
| DET0187 |
Detect disabled Windows event logging |
T1562.002 |
| DET0462 |
Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows |
T1557.001 |
| DET0207 |
Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load |
T1547.002 |
| DET0472 |
Detect Malicious Password Filter DLL Registration |
T1556.002 |
| DET0104 |
Detect Modification of Authentication Processes Across Platforms |
T1556 |
| DET0580 |
Detect Network Provider DLL Registration and Credential Capture |
T1556.008 |
| DET0398 |
Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks |
T1137 |
| DET0050 |
Detect Persistence via Malicious Office Add-ins |
T1137.006 |
| DET0519 |
Detect Persistence via Office Template Macro Injection or Registry Hijack |
T1137.001 |
| DET0315 |
Detect Persistence via Office Test Registry DLL Injection |
T1137.002 |
| DET0365 |
Detect Registry and Startup Folder Persistence (Windows) |
T1547.001 |
| DET0154 |
Detect Screensaver-Based Persistence via Registry and Execution Chains |
T1546.002 |
| DET0452 |
Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation |
T1553 |
| DET0225 |
Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) |
T1547.008 |
| DET0404 |
Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows |
T1547.004 |
| DET0361 |
Detecting .NET COM Registration Abuse via Regsvcs/Regasm |
T1218.009 |
| DET0350 |
Detecting Downgrade Attacks |
T1562.010 |
| DET0044 |
Detecting Malicious Browser Extensions Across Platforms |
T1176.001 |
| DET0222 |
Detecting MMC (.msc) Proxy Execution and Malicious COM Activation |
T1218.014 |
| DET0764 |
Detection of Adversary-in-the-Middle |
T0830 |
| DET0363 |
Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence |
T1003.001 |
| DET0145 |
Detection of Disabled or Modified System Firewalls across OS Platforms. |
T1562.004 |
| DET0497 |
Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. |
T1562.001 |
| DET0750 |
Detection of Indicator Removal on Host |
T0872 |
| DET0092 |
Detection of Malicious or Unauthorized Software Extensions |
T1176 |
| DET0328 |
Detection of Malicious Profile Installation via CMSTP.exe |
T1218.003 |
| DET0040 |
Detection of Persistence Artifact Removal Across Host Platforms |
T1070.009 |
| DET0209 |
Detection of Registry Query for Environmental Discovery |
T1012 |
| DET0765 |
Detection of Service Stop |
T0881 |
| DET0746 |
Detection of Spoof Reporting Message |
T0856 |
| DET0441 |
Detection of Suspicious Scheduled Task Creation and Execution on Windows |
T1053.005 |
| DET0571 |
Detection of System Process Creation or Modification Across Platforms |
T1543 |
| DET0552 |
Detection of Windows Service Creation or Modification |
T1543.003 |
| DET0345 |
Detection Strategy for Abuse Elevation Control Mechanism (T1548) |
T1548 |
| DET0033 |
Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification |
T1546.008 |
| DET0362 |
Detection Strategy for AppCert DLLs Persistence via Registry Injection |
T1546.009 |
| DET0017 |
Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows) |
T1546.011 |
| DET0579 |
Detection Strategy for Device Driver Discovery |
T1652 |
| DET0557 |
Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows) |
T1546.010 |
| DET0344 |
Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory |
T1027.011 |
| DET0502 |
Detection Strategy for Hidden Artifacts Across Platforms |
T1564 |
| DET0461 |
Detection Strategy for Hidden File System Abuse |
T1564.005 |
| DET0353 |
Detection Strategy for Hidden User Accounts |
T1564.002 |
| DET0321 |
Detection Strategy for Hidden Virtual Instance Execution |
T1564.006 |
| DET0128 |
Detection Strategy for Hidden Windows |
T1564.003 |
| DET0218 |
Detection Strategy for Hijack Execution Flow across OS platforms. |
T1574 |
| DET0201 |
Detection Strategy for Hijack Execution Flow for DLLs |
T1574.001 |
| DET0064 |
Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path |
T1574.009 |
| DET0427 |
Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness. |
T1574.011 |
| DET0004 |
Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable. |
T1574.007 |
| DET0479 |
Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. |
T1574.012 |
| DET0422 |
Detection Strategy for IFEO Injection on Windows |
T1546.012 |
| DET0317 |
Detection Strategy for Impair Defenses Across Platforms |
T1562 |
| DET0239 |
Detection Strategy for Impair Defenses Indicator Blocking |
T1562.006 |
| DET0246 |
Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying |
T1111 |
| DET0575 |
Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows) |
T1546.007 |
| DET0391 |
Detection Strategy for Runtime Data Manipulation. |
T1565.003 |
| DET0116 |
Detection Strategy for Safe Mode Boot Abuse |
T1562.009 |
| DET0442 |
Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking. |
T1553.003 |
| DET0056 |
Detection Strategy for Subvert Trust Controls via Install Root Certificate. |
T1553.004 |
| DET0279 |
Detection Strategy for System Services across OS platforms. |
T1569 |
| DET0421 |
Detection Strategy for System Services Service Execution |
T1569.002 |
| DET0042 |
Detection Strategy for T1218.012 Verclsid Abuse |
T1218.012 |
| DET0212 |
Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows) |
T1505.005 |
| DET0204 |
Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) |
T1547.010 |
| DET0388 |
Detection Strategy for T1548.002 – Bypass User Account Control (UAC) |
T1548.002 |
| DET0562 |
Multi-Platform Execution Guardrails Environmental Validation Detection Strategy |
T1480 |
| DET0542 |
Registry and LSASS Monitoring for Security Support Provider Abuse |
T1547.005 |
| DET0009 |
Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) |
T1195.001 |
| DET0481 |
Windows COM Hijacking Detection via Registry and DLL Load Correlation |
T1546.015 |
| DET0026 |
Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence |
T1547.012 |