| DET0309 |
Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) |
T1195.002 |
| DET0225 |
Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) |
T1547.008 |
| DET0069 |
Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) |
T1200 |
| DET0377 |
Detection of Kernel/User-Level Rootkit Behavior Across Platforms |
T1014 |
| DET0552 |
Detection of Windows Service Creation or Modification |
T1543.003 |
| DET0316 |
Detection Strategy for Disk Content Wipe via Direct Access and Overwrite |
T1561.001 |
| DET0297 |
Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite |
T1561.002 |
| DET0137 |
Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands |
T1561 |
| DET0514 |
Detection Strategy for Exploitation for Privilege Escalation |
T1068 |
| DET0246 |
Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying |
T1111 |
| DET0323 |
Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware |
T1542.002 |
| DET0167 |
Firmware Modification via Flash Tool or Corrupted Firmware Upload |
T1495 |
| DET0368 |
Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks |
T1195.003 |
| DET0162 |
Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) |
T1205.002 |