{"framework":"cri-profile","framework_label":"CRI Profile","controls":[{"control_id":"DE.AE-02.01","title":"Event analysis and detection","family":"DE.AE","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1027.012","name":"LNK Icon Smuggling","detectable":false},{"id":"T1027.013","name":"Encrypted/Encoded File","detectable":false},{"id":"T1027.014","name":"Polymorphic Code","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"}],"technique_count":81,"detectable_count":57,"coverage_pct":70,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-01.01","title":"Intrusion detection and prevention","family":"DE.CM","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"}],"technique_count":41,"detectable_count":30,"coverage_pct":73,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-01.02","title":"Network traffic volume monitoring","family":"DE.CM","techniques":[{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":4,"coverage_pct":50,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-01.03","title":"Unauthorized network connections and data transfers","family":"DE.CM","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"}],"technique_count":14,"detectable_count":11,"coverage_pct":78,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-01.04","title":"Unauthorized device connection","family":"DE.CM","techniques":[{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"}],"technique_count":3,"detectable_count":1,"coverage_pct":33,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-01.05","title":"Website and service blocking","family":"DE.CM","techniques":[{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555.003","name":"Credentials from Web Browsers","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"}],"technique_count":22,"detectable_count":20,"coverage_pct":90,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-03.03","title":"Privileged account monitoring","family":"DE.CM","techniques":[{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"}],"technique_count":41,"detectable_count":29,"coverage_pct":70,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-06.02","title":"Third-party access monitoring","family":"DE.CM","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"}],"technique_count":73,"detectable_count":57,"coverage_pct":78,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-09.01","title":"Software and data integrity checking","family":"DE.CM","techniques":[{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1547.002","name":"Authentication Package","detectable":true,"detections":"Sigma"},{"id":"T1547.005","name":"Security Support Provider","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"}],"technique_count":46,"detectable_count":31,"coverage_pct":67,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-09.02","title":"Hardware integrity checking","family":"DE.CM","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.002","name":"Component Firmware","detectable":false},{"id":"T1600.002","name":"Disable Crypto Hardware","detectable":false},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"}],"technique_count":8,"detectable_count":4,"coverage_pct":50,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"DE.CM-09.03","title":"Unauthorized software, hardware, or configuration changes","family":"DE.CM","techniques":[{"id":"T1542.002","name":"Component Firmware","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"}],"technique_count":7,"detectable_count":5,"coverage_pct":71,"has_mapping":true,"is_enhancement":true,"base_control_id":"DE"},{"control_id":"EX.DD-04.01","title":"Third-party systems and software evaluation","family":"EX.DD","techniques":[{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1542.002","name":"Component Firmware","detectable":false},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"}],"technique_count":10,"detectable_count":8,"coverage_pct":80,"has_mapping":true,"is_enhancement":true,"base_control_id":"EX"},{"control_id":"EX.MM-01.01","title":"Third-party monitoring and management resources","family":"EX.MM","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"}],"technique_count":11,"detectable_count":6,"coverage_pct":54,"has_mapping":true,"is_enhancement":true,"base_control_id":"EX"},{"control_id":"ID.AM-08.03","title":"Data governance and lifecycle management","family":"ID.AM","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":25,"detectable_count":17,"coverage_pct":68,"has_mapping":true,"is_enhancement":true,"base_control_id":"ID"},{"control_id":"ID.AM-08.05","title":"Data destruction procedures","family":"ID.AM","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":25,"detectable_count":17,"coverage_pct":68,"has_mapping":true,"is_enhancement":true,"base_control_id":"ID"},{"control_id":"ID.IM-02.06","title":"Accurate data recovery","family":"ID.IM","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":15,"detectable_count":9,"coverage_pct":60,"has_mapping":true,"is_enhancement":true,"base_control_id":"ID"},{"control_id":"ID.RA-01.03","title":"Vulnerability management","family":"ID.RA","techniques":[{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"}],"technique_count":11,"detectable_count":11,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"ID"},{"control_id":"PR.AA-01.01","title":"Identity and credential management","family":"PR.AA","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1654","name":"Log Enumeration","detectable":false},{"id":"T1657","name":"Financial Theft","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1006","name":"Direct Volume Access","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1201","name":"Password Policy Discovery","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.001","name":"Group Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.011","name":"Application Shimming","detectable":true,"detections":"Sigma"},{"id":"T1547","name":"Boot or Logon Autostart Execution","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.001","name":"Keychain","detectable":true,"detections":"Sigma"},{"id":"T1555.003","name":"Credentials from Web Browsers","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":175,"detectable_count":126,"coverage_pct":72,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-01.02","title":"Physical and logical access","family":"PR.AA","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1657","name":"Financial Theft","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1006","name":"Direct Volume Access","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555.003","name":"Credentials from Web Browsers","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":52,"detectable_count":40,"coverage_pct":76,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-02.01","title":"Authentication of identity","family":"PR.AA","techniques":[{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1586.003","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":24,"detectable_count":20,"coverage_pct":83,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-03.01","title":"Authentication requirements","family":"PR.AA","techniques":[{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1593.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":52,"detectable_count":40,"coverage_pct":76,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-03.03","title":"Email verification mechanisms","family":"PR.AA","techniques":[{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"}],"technique_count":10,"detectable_count":6,"coverage_pct":60,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-04.01","title":"Access control within and across security perimeters","family":"PR.AA","techniques":[{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"}],"technique_count":5,"detectable_count":5,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-05.01","title":"Access privilege limitation","family":"PR.AA","techniques":[{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.011","name":"Services Registry Permissions Weakness","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"}],"technique_count":31,"detectable_count":28,"coverage_pct":90,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-05.02","title":"Privileged system access","family":"PR.AA","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1056","name":"Input Capture","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547","name":"Boot or Logon Autostart Execution","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":130,"detectable_count":98,"coverage_pct":75,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-05.03","title":"Service accounts","family":"PR.AA","techniques":[{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"}],"technique_count":22,"detectable_count":18,"coverage_pct":81,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.AA-05.04","title":"Third-party access management","family":"PR.AA","techniques":[{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":5,"coverage_pct":71,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.DS-01.01","title":"Data-at-rest protection","family":"PR.DS","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":11,"coverage_pct":91,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.DS-01.02","title":"Data loss prevention","family":"PR.DS","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"}],"technique_count":11,"detectable_count":5,"coverage_pct":45,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.DS-01.03","title":"Removable media protection","family":"PR.DS","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":2,"coverage_pct":50,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.DS-02.01","title":"Data-in-transit protection","family":"PR.DS","techniques":[{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":6,"detectable_count":6,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.DS-10.01","title":"Data-in-use protection","family":"PR.DS","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":17,"detectable_count":12,"coverage_pct":70,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.DS-11.01","title":"Data backup and replication","family":"PR.DS","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":9,"detectable_count":7,"coverage_pct":77,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.01","title":"Network segmentation","family":"PR.IR","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"}],"technique_count":40,"detectable_count":33,"coverage_pct":82,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.02","title":"Network device configurations","family":"PR.IR","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"}],"technique_count":39,"detectable_count":29,"coverage_pct":74,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.03","title":"Network communications integrity and availability","family":"PR.IR","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1205.002","name":"Socket Filters","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"}],"technique_count":95,"detectable_count":67,"coverage_pct":70,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.04","title":"Wireless network protection","family":"PR.IR","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"}],"technique_count":20,"detectable_count":17,"coverage_pct":85,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.05","title":"Remote access protection","family":"PR.IR","techniques":[{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.001","name":"Group Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":75,"detectable_count":53,"coverage_pct":70,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.06","title":"Production environment segregation","family":"PR.IR","techniques":[{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":78,"detectable_count":66,"coverage_pct":84,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-01.08","title":"End-user device access","family":"PR.IR","techniques":[{"id":"T1027.012","name":"LNK Icon Smuggling","detectable":false},{"id":"T1027.013","name":"Encrypted/Encoded File","detectable":false},{"id":"T1027.014","name":"Polymorphic Code","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1564.012","name":"File/Path Exclusions","detectable":false},{"id":"T1006","name":"Direct Volume Access","detectable":true,"detections":"Sigma"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"}],"technique_count":19,"detectable_count":13,"coverage_pct":68,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-03.01","title":"Alternative resilience mechanisms","family":"PR.IR","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":23,"detectable_count":13,"coverage_pct":56,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-04.01","title":"Utilization monitoring","family":"PR.IR","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"}],"technique_count":36,"detectable_count":30,"coverage_pct":83,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.IR-04.02","title":"Availability and capacity management","family":"PR.IR","techniques":[{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":7,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.01","title":"Configuration baselines","family":"PR.PS","techniques":[{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1027.012","name":"LNK Icon Smuggling","detectable":false},{"id":"T1027.013","name":"Encrypted/Encoded File","detectable":false},{"id":"T1027.014","name":"Polymorphic Code","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1564.012","name":"File/Path Exclusions","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1135","name":"Network Share Discovery","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.001","name":"Setuid and Setgid","detectable":true,"detections":"Sigma, Falco"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.002","name":"Password Filter DLL","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":89,"detectable_count":60,"coverage_pct":67,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.02","title":"Least functionality","family":"PR.PS","techniques":[{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1135","name":"Network Share Discovery","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.001","name":"Setuid and Setgid","detectable":true,"detections":"Sigma, Falco"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.002","name":"Password Filter DLL","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":71,"detectable_count":48,"coverage_pct":67,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.03","title":"Configuration deviation","family":"PR.PS","techniques":[{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1135","name":"Network Share Discovery","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.001","name":"Setuid and Setgid","detectable":true,"detections":"Sigma, Falco"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.002","name":"Password Filter DLL","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":101,"detectable_count":70,"coverage_pct":69,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.04","title":"Time services and synchronization","family":"PR.PS","techniques":[{"id":"T1497.003","name":"Time Based Checks","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1070.006","name":"Timestomp","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":2,"coverage_pct":50,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.05","title":"Encryption standards","family":"PR.PS","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":28,"detectable_count":17,"coverage_pct":60,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.06","title":"Encryption management practices","family":"PR.PS","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":28,"detectable_count":17,"coverage_pct":60,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.07","title":"Cryptographic keys and certificates","family":"PR.PS","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1547","name":"Boot or Logon Autostart Execution","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":78,"detectable_count":56,"coverage_pct":71,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.08","title":"End-user device protection","family":"PR.PS","techniques":[{"id":"T1027.012","name":"LNK Icon Smuggling","detectable":false},{"id":"T1027.013","name":"Encrypted/Encoded File","detectable":false},{"id":"T1027.014","name":"Polymorphic Code","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1205.002","name":"Socket Filters","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1564.012","name":"File/Path Exclusions","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547","name":"Boot or Logon Autostart Execution","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"}],"technique_count":92,"detectable_count":64,"coverage_pct":69,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-01.09","title":"Virtualized end point protection","family":"PR.PS","techniques":[{"id":"T1027.006","name":"HTML Smuggling","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.004","name":"Revert Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1039","name":"Data from Network Shared Drive","detectable":true,"detections":"Sigma, CAR"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":32,"detectable_count":23,"coverage_pct":71,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-02.01","title":"Patch identification and application","family":"PR.PS","techniques":[{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.011","name":"Application Shimming","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.003","name":"Credentials from Web Browsers","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"}],"technique_count":34,"detectable_count":26,"coverage_pct":76,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-05.01","title":"Malware prevention","family":"PR.PS","techniques":[{"id":"T1027.013","name":"Encrypted/Encoded File","detectable":false},{"id":"T1027.014","name":"Polymorphic Code","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"}],"technique_count":18,"detectable_count":13,"coverage_pct":72,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-05.02","title":"Mobile code prevention","family":"PR.PS","techniques":[{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"}],"technique_count":55,"detectable_count":40,"coverage_pct":72,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-05.03","title":"Email and message service protection","family":"PR.PS","techniques":[{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1566.004","name":"Spearphishing Voice","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"}],"technique_count":10,"detectable_count":5,"coverage_pct":50,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-06.01","title":"Secure SDLC process","family":"PR.PS","techniques":[{"id":"T1496.003","name":"SMS Pumping","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1564.012","name":"File/Path Exclusions","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1593","name":"Search Open Websites/Domains","detectable":true,"detections":"IDS"},{"id":"T1593.003","name":"Code Repositories","detectable":true,"detections":"Sigma"}],"technique_count":21,"detectable_count":15,"coverage_pct":71,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-06.05","title":"Testing and validation strategy","family":"PR.PS","techniques":[{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"}],"technique_count":10,"detectable_count":9,"coverage_pct":90,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-06.06","title":"Vulnerability remediation","family":"PR.PS","techniques":[{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.002","name":"Component Firmware","detectable":false},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"}],"technique_count":18,"detectable_count":13,"coverage_pct":72,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"},{"control_id":"PR.PS-06.07","title":"Development and operational process alignment","family":"PR.PS","techniques":[{"id":"T1496.003","name":"SMS Pumping","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1564.012","name":"File/Path Exclusions","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1496","name":"Resource Hijacking","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1593","name":"Search Open Websites/Domains","detectable":true,"detections":"IDS"},{"id":"T1593.003","name":"Code Repositories","detectable":true,"detections":"Sigma"}],"technique_count":18,"detectable_count":13,"coverage_pct":72,"has_mapping":true,"is_enhancement":true,"base_control_id":"PR"}],"families":[{"family":"DE.AE","controls":1,"controls_with_mapping":1,"distinct_techniques":81,"detectable_techniques":57,"coverage_pct":70},{"family":"DE.CM","controls":10,"controls_with_mapping":10,"distinct_techniques":202,"detectable_techniques":142,"coverage_pct":70},{"family":"EX.DD","controls":1,"controls_with_mapping":1,"distinct_techniques":10,"detectable_techniques":8,"coverage_pct":80},{"family":"EX.MM","controls":1,"controls_with_mapping":1,"distinct_techniques":11,"detectable_techniques":6,"coverage_pct":54},{"family":"ID.AM","controls":2,"controls_with_mapping":2,"distinct_techniques":25,"detectable_techniques":17,"coverage_pct":68},{"family":"ID.IM","controls":1,"controls_with_mapping":1,"distinct_techniques":15,"detectable_techniques":9,"coverage_pct":60},{"family":"ID.RA","controls":1,"controls_with_mapping":1,"distinct_techniques":11,"detectable_techniques":11,"coverage_pct":100},{"family":"PR.AA","controls":10,"controls_with_mapping":10,"distinct_techniques":226,"detectable_techniques":165,"coverage_pct":73},{"family":"PR.DS","controls":6,"controls_with_mapping":6,"distinct_techniques":39,"detectable_techniques":28,"coverage_pct":71},{"family":"PR.IR","controls":10,"controls_with_mapping":10,"distinct_techniques":219,"detectable_techniques":154,"coverage_pct":70},{"family":"PR.PS","controls":17,"controls_with_mapping":17,"distinct_techniques":309,"detectable_techniques":212,"coverage_pct":68}],"total_controls":60,"controls_with_mapping":60,"distinct_techniques":430,"detectable_techniques":290,"overall_coverage_pct":67,"unmapped_enhancements":0,"no_mappings_at_all":false}