{"framework":"iso-27001-2022","framework_label":"ISO 27001:2022","controls":[{"control_id":"A.5.1","title":"Policies for information security","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.10","title":"Acceptable use of information and other associated assets","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.11","title":"Return of assets","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.12","title":"Classification of information","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.13","title":"Labelling of information","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.14","title":"Information transfer","family":"Organizational","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.001","name":"Exfiltration to Code Repository","detectable":true,"detections":"Sigma"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"}],"technique_count":64,"detectable_count":46,"coverage_pct":71,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.15","title":"Access control","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.16","title":"Identity management","family":"Organizational","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.17","title":"Authentication information","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.18","title":"Access rights","family":"Organizational","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.19","title":"Information security in supplier relationships","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.2","title":"Information security roles and responsibilities","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.20","title":"Addressing information security within supplier agreements","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.21","title":"Managing information security in the ICT supply chain","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.22","title":"Monitoring, review and change management of supplier services","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.23","title":"Information security for use of cloud services","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.24","title":"Information security incident management planning and preparation","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.25","title":"Assessment and decision on information security events","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.26","title":"Response to information security incidents","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.27","title":"Learning from information security incidents","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.28","title":"Collection of evidence","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.29","title":"Information security during disruption","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.3","title":"Segregation of duties","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.30","title":"ICT readiness for business continuity","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.31","title":"Legal, statutory, regulatory and contractual requirements","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.32","title":"Intellectual property rights","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.33","title":"Protection of records","family":"Organizational","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.34","title":"Privacy and protection of PII","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.35","title":"Independent review of information security","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.36","title":"Compliance with policies, rules and standards for information security","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.37","title":"Documented operating procedures","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.4","title":"Management responsibilities","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.5","title":"Contact with authorities","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.6","title":"Contact with special interest groups","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.7","title":"Threat intelligence","family":"Organizational","techniques":[{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":8,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.8","title":"Information security in project management","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.5.9","title":"Inventory of information and other associated assets","family":"Organizational","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.1","title":"Screening","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.2","title":"Terms and conditions of employment","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.3","title":"Information security awareness, education and training","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.4","title":"Disciplinary process","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.5","title":"Responsibilities after termination or change of employment","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.6","title":"Confidentiality or non-disclosure agreements","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.7","title":"Remote working","family":"People","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.001","name":"Exfiltration to Code Repository","detectable":true,"detections":"Sigma"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":118,"detectable_count":82,"coverage_pct":69,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.6.8","title":"Information security event reporting","family":"People","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.1","title":"Physical security perimeters","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.10","title":"Storage media","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.11","title":"Supporting utilities","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.12","title":"Cabling security","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.13","title":"Equipment maintenance","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.14","title":"Secure disposal or re-use of equipment","family":"Physical","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.2","title":"Physical entry","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.3","title":"Securing offices, rooms and facilities","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.4","title":"Physical security monitoring","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.5","title":"Protecting against physical and environmental threats","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.6","title":"Working in secure areas","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.7","title":"Clear desk and clear screen","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.8","title":"Equipment siting and protection","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.7.9","title":"Security of assets off-premises","family":"Physical","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.1","title":"User endpoint devices","family":"Technological","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":42,"detectable_count":26,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.10","title":"Information deletion","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.11","title":"Data masking","family":"Technological","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":42,"detectable_count":26,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.12","title":"Data leakage prevention","family":"Technological","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.13","title":"Information backup","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.14","title":"Redundancy of information processing facilities","family":"Technological","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":8,"coverage_pct":66,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.15","title":"Logging","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.16","title":"Monitoring activities","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.17","title":"Clock synchronisation","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.18","title":"Use of privileged utility programs","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.19","title":"Installation of software on operational systems","family":"Technological","techniques":[{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"}],"technique_count":33,"detectable_count":28,"coverage_pct":84,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.2","title":"Privileged access rights","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.20","title":"Networks security","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.21","title":"Security of network services","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.22","title":"Segregation of networks","family":"Technological","techniques":[{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"}],"technique_count":1,"detectable_count":1,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.23","title":"Web filtering","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.24","title":"Use of cryptography","family":"Technological","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1521.003","name":"","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":50,"detectable_count":29,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.25","title":"Secure development life cycle","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.26","title":"Application security requirements","family":"Technological","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":34,"detectable_count":21,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.27","title":"Secure system architecture and engineering principles","family":"Technological","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":34,"detectable_count":21,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.28","title":"Secure coding","family":"Technological","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":34,"detectable_count":21,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.29","title":"Security testing in development and acceptance","family":"Technological","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":34,"detectable_count":21,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.3","title":"Information access restriction","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.30","title":"Outsourced development","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.31","title":"Separation of development, test and production environments","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.32","title":"Change management","family":"Technological","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":27,"detectable_count":15,"coverage_pct":55,"has_mapping":true,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.33","title":"Test information","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.34","title":"Protection of information systems during audit testing","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.4","title":"Access to source code","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.5","title":"Secure authentication","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.6","title":"Capacity management","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.7","title":"Protection against malware","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.8","title":"Management of technical vulnerabilities","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"},{"control_id":"A.8.9","title":"Configuration management","family":"Technological","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A"}],"families":[{"family":"Organizational","controls":37,"controls_with_mapping":5,"distinct_techniques":89,"detectable_techniques":64,"coverage_pct":71},{"family":"People","controls":8,"controls_with_mapping":1,"distinct_techniques":118,"detectable_techniques":82,"coverage_pct":69},{"family":"Physical","controls":14,"controls_with_mapping":1,"distinct_techniques":34,"detectable_techniques":20,"coverage_pct":58},{"family":"Technological","controls":34,"controls_with_mapping":12,"distinct_techniques":133,"detectable_techniques":83,"coverage_pct":62}],"total_controls":93,"controls_with_mapping":19,"distinct_techniques":204,"detectable_techniques":138,"overall_coverage_pct":67,"unmapped_enhancements":74,"no_mappings_at_all":false}