{"framework":"nist-800-53","framework_label":"NIST 800-53","controls":[{"control_id":"AC-02","title":"Account Management","family":"AC","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1654","name":"Log Enumeration","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":220,"detectable_count":150,"coverage_pct":68,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-03","title":"Access Enforcement","family":"AC","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1555.002","name":"Securityd Memory","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1654","name":"Log Enumeration","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.004","name":"NTFS File Attributes","detectable":true,"detections":"Sigma, CAR"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":281,"detectable_count":190,"coverage_pct":67,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-04","title":"Information Flow Enforcement","family":"AC","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1205.002","name":"Socket Filters","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1552.008","name":"Chat Messages","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1654","name":"Log Enumeration","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.001","name":"Exfiltration to Code Repository","detectable":true,"detections":"Sigma"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":158,"detectable_count":110,"coverage_pct":69,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-05","title":"Separation of Duties","family":"AC","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1657","name":"Financial Theft","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":167,"detectable_count":122,"coverage_pct":73,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-06","title":"Least Privilege","family":"AC","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1555.002","name":"Securityd Memory","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1654","name":"Log Enumeration","detectable":false},{"id":"T1657","name":"Financial Theft","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1112","name":"Modify Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.011","name":"Application Shimming","detectable":true,"detections":"Sigma"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.011","name":"Services Registry Permissions Weakness","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":270,"detectable_count":182,"coverage_pct":67,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-07","title":"Unsuccessful Logon Attempts","family":"AC","techniques":[{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"}],"technique_count":16,"detectable_count":11,"coverage_pct":68,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-08","title":"System Use Notification","family":"AC","techniques":[{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"}],"technique_count":1,"detectable_count":1,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-1","title":"Policy and Procedures","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-10","title":"Concurrent Session Control","family":"AC","techniques":[{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-11","title":"Device Lock","family":"AC","techniques":[{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"}],"technique_count":2,"detectable_count":2,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-11.1","title":"Pattern-hiding Displays","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-11"},{"control_id":"AC-12","title":"Session Termination","family":"AC","techniques":[{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"}],"technique_count":6,"detectable_count":5,"coverage_pct":83,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-12.1","title":"User-initiated Logouts","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-12"},{"control_id":"AC-12.2","title":"Termination Message","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-12"},{"control_id":"AC-12.3","title":"Timeout Warning Message","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-12"},{"control_id":"AC-13","title":"Supervision and Review — Access Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-14","title":"Permitted Actions Without Identification or Authentication","family":"AC","techniques":[{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"}],"technique_count":1,"detectable_count":1,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-14.1","title":"Necessary Uses","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-14"},{"control_id":"AC-15","title":"Automated Marking","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-16","title":"Security and Privacy Attributes","family":"AC","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1564.004","name":"NTFS File Attributes","detectable":true,"detections":"Sigma, CAR"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":57,"detectable_count":35,"coverage_pct":61,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-16.1","title":"Dynamic Attribute Association","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.10","title":"Attribute Configuration by Authorized Individuals","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.2","title":"Attribute Value Changes by Authorized Individuals","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.3","title":"Maintenance of Attribute Associations by System","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.4","title":"Association of Attributes by Authorized Individuals","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.5","title":"Attribute Displays on Objects to Be Output","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.6","title":"Maintenance of Attribute Association","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.7","title":"Consistent Attribute Interpretation","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.8","title":"Association Techniques and Technologies","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-16.9","title":"Attribute Reassignment — Regrading Mechanisms","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-16"},{"control_id":"AC-17","title":"Remote Access","family":"AC","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":81,"detectable_count":55,"coverage_pct":67,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-17.1","title":"Monitoring and Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.10","title":"Authenticate Remote Commands","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.2","title":"Protection of Confidentiality and Integrity Using Encryption","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.3","title":"Managed Access Control Points","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.4","title":"Privileged Commands and Access","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.5","title":"Monitoring for Unauthorized Connections","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.6","title":"Protection of Mechanism Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.7","title":"Additional Protection for Security Function Access","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.8","title":"Disable Nonsecure Network Protocols","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-17.9","title":"Disconnect or Disable Access","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-17"},{"control_id":"AC-18","title":"Wireless Access","family":"AC","techniques":[{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":25,"detectable_count":13,"coverage_pct":52,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-18.1","title":"Authentication and Encryption","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-18"},{"control_id":"AC-18.2","title":"Monitoring Unauthorized Connections","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-18"},{"control_id":"AC-18.3","title":"Disable Wireless Networking","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-18"},{"control_id":"AC-18.4","title":"Restrict Configurations by Users","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-18"},{"control_id":"AC-18.5","title":"Antennas and Transmission Power Levels","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-18"},{"control_id":"AC-19","title":"Access Control for Mobile Devices","family":"AC","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":27,"detectable_count":16,"coverage_pct":59,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-19.1","title":"Use of Writable and Portable Storage Devices","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-19"},{"control_id":"AC-19.2","title":"Use of Personally Owned Portable Storage Devices","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-19"},{"control_id":"AC-19.3","title":"Use of Portable Storage Devices with No Identifiable Owner","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-19"},{"control_id":"AC-19.4","title":"Restrictions for Classified Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-19"},{"control_id":"AC-19.5","title":"Full Device or Container-based Encryption","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-19"},{"control_id":"AC-2","title":"Account Management","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-2.1","title":"Automated System Account Management","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.10","title":"Shared and Group Account Credential Change","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.11","title":"Usage Conditions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.12","title":"Account Monitoring for Atypical Usage","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.13","title":"Disable Accounts for High-risk Individuals","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.2","title":"Automated Temporary and Emergency Account Management","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.3","title":"Disable Accounts","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.4","title":"Automated Audit Actions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.5","title":"Inactivity Logout","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.6","title":"Dynamic Privilege Management","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.7","title":"Privileged User Accounts","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.8","title":"Dynamic Account Management","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-2.9","title":"Restrictions on Use of Shared and Group Accounts","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-2"},{"control_id":"AC-20","title":"Use of External Systems","family":"AC","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.001","name":"Exfiltration to Code Repository","detectable":true,"detections":"Sigma"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"}],"technique_count":64,"detectable_count":46,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-20.1","title":"Limits on Authorized Use","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-20"},{"control_id":"AC-20.2","title":"Portable Storage Devices — Restricted Use","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-20"},{"control_id":"AC-20.3","title":"Non-organizationally Owned Systems — Restricted Use","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-20"},{"control_id":"AC-20.4","title":"Network Accessible Storage Devices — Prohibited Use","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-20"},{"control_id":"AC-20.5","title":"Portable Storage Devices — Prohibited Use","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-20"},{"control_id":"AC-21","title":"Information Sharing","family":"AC","techniques":[{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":1,"coverage_pct":20,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-21.1","title":"Automated Decision Support","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-21"},{"control_id":"AC-21.2","title":"Information Search and Retrieval","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-21"},{"control_id":"AC-22","title":"Publicly Accessible Content","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-23","title":"Data Mining Protection","family":"AC","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":15,"detectable_count":7,"coverage_pct":46,"has_mapping":true,"is_enhancement":false},{"control_id":"AC-24","title":"Access Control Decisions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-24.1","title":"Transmit Access Authorization Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-24"},{"control_id":"AC-24.2","title":"No User or Process Identity","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-24"},{"control_id":"AC-25","title":"Reference Monitor","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-3","title":"Access Enforcement","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-3.1","title":"Restricted Access to Privileged Functions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.10","title":"Audited Override of Access Control Mechanisms","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.11","title":"Restrict Access to Specific Information Types","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.12","title":"Assert and Enforce Application Access","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.13","title":"Attribute-based Access Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.14","title":"Individual Access","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.15","title":"Discretionary and Mandatory Access Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.2","title":"Dual Authorization","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.3","title":"Mandatory Access Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.4","title":"Discretionary Access Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.5","title":"Security-relevant Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.6","title":"Protection of User and System Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.7","title":"Role-based Access Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.8","title":"Revocation of Access Authorizations","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-3.9","title":"Controlled Release","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-3"},{"control_id":"AC-4","title":"Information Flow Enforcement","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-4.1","title":"Object Security and Privacy Attributes","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.10","title":"Enable and Disable Security or Privacy Policy Filters","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.11","title":"Configuration of Security or Privacy Policy Filters","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.12","title":"Data Type Identifiers","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.13","title":"Decomposition into Policy-relevant Subcomponents","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.14","title":"Security or Privacy Policy Filter Constraints","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.15","title":"Detection of Unsanctioned Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.16","title":"Information Transfers on Interconnected Systems","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.17","title":"Domain Authentication","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.18","title":"Security Attribute Binding","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.19","title":"Validation of Metadata","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.2","title":"Processing Domains","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.20","title":"Approved Solutions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.21","title":"Physical or Logical Separation of Information Flows","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.22","title":"Access Only","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.23","title":"Modify Non-releasable Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.24","title":"Internal Normalized Format","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.25","title":"Data Sanitization","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.26","title":"Audit Filtering Actions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.27","title":"Redundant/Independent Filtering Mechanisms","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.28","title":"Linear Filter Pipelines","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.29","title":"Filter Orchestration Engines","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.3","title":"Dynamic Information Flow Control","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.30","title":"Filter Mechanisms Using Multiple Processes","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.31","title":"Failed Content Transfer Prevention","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.32","title":"Process Requirements for Information Transfer","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.4","title":"Flow Control of Encrypted Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.5","title":"Embedded Data Types","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.6","title":"Metadata","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.7","title":"One-way Flow Mechanisms","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.8","title":"Security and Privacy Policy Filters","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-4.9","title":"Human Reviews","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-4"},{"control_id":"AC-5","title":"Separation of Duties","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-6","title":"Least Privilege","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-6.1","title":"Authorize Access to Security Functions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.10","title":"Prohibit Non-privileged Users from Executing Privileged Functions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.2","title":"Non-privileged Access for Nonsecurity Functions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.3","title":"Network Access to Privileged Commands","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.4","title":"Separate Processing Domains","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.5","title":"Privileged Accounts","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.6","title":"Privileged Access by Non-organizational Users","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.7","title":"Review of User Privileges","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.8","title":"Privilege Levels for Code Execution","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-6.9","title":"Log Use of Privileged Functions","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-6"},{"control_id":"AC-7","title":"Unsuccessful Logon Attempts","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-7.1","title":"Automatic Account Lock","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-7"},{"control_id":"AC-7.2","title":"Purge or Wipe Mobile Device","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-7"},{"control_id":"AC-7.3","title":"Biometric Attempt Limiting","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-7"},{"control_id":"AC-7.4","title":"Use of Alternate Authentication Factor","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-7"},{"control_id":"AC-8","title":"System Use Notification","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-9","title":"Previous Logon Notification","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AC-9.1","title":"Unsuccessful Logons","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-9"},{"control_id":"AC-9.2","title":"Successful and Unsuccessful Logons","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-9"},{"control_id":"AC-9.3","title":"Notification of Account Changes","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-9"},{"control_id":"AC-9.4","title":"Additional Logon Information","family":"AC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AC-9"},{"control_id":"AT-1","title":"Policy and Procedures","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AT-2","title":"Literacy Training and Awareness","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AT-2.1","title":"Practical Exercises","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-2"},{"control_id":"AT-2.2","title":"Insider Threat","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-2"},{"control_id":"AT-2.3","title":"Social Engineering and Mining","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-2"},{"control_id":"AT-2.4","title":"Suspicious Communications and Anomalous System Behavior","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-2"},{"control_id":"AT-2.5","title":"Advanced Persistent Threat","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-2"},{"control_id":"AT-2.6","title":"Cyber Threat Environment","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-2"},{"control_id":"AT-3","title":"Role-based Training","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AT-3.1","title":"Environmental Controls","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-3"},{"control_id":"AT-3.2","title":"Physical Security Controls","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-3"},{"control_id":"AT-3.3","title":"Practical Exercises","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-3"},{"control_id":"AT-3.4","title":"Suspicious Communications and Anomalous System Behavior","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-3"},{"control_id":"AT-3.5","title":"Processing Personally Identifiable Information","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AT-3"},{"control_id":"AT-4","title":"Training Records","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AT-5","title":"Contacts with Security Groups and Associations","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AT-6","title":"Training Feedback","family":"AT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-1","title":"Policy and Procedures","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-10","title":"Non-repudiation","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-10.1","title":"Association of Identities","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-10"},{"control_id":"AU-10.2","title":"Validate Binding of Information Producer Identity","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-10"},{"control_id":"AU-10.3","title":"Chain of Custody","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-10"},{"control_id":"AU-10.4","title":"Validate Binding of Information Reviewer Identity","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-10"},{"control_id":"AU-10.5","title":"Digital Signatures","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-10"},{"control_id":"AU-11","title":"Audit Record Retention","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-11.1","title":"Long-term Retrieval Capability","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-11"},{"control_id":"AU-12","title":"Audit Record Generation","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-12.1","title":"System-wide and Time-correlated Audit Trail","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-12"},{"control_id":"AU-12.2","title":"Standardized Formats","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-12"},{"control_id":"AU-12.3","title":"Changes by Authorized Individuals","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-12"},{"control_id":"AU-12.4","title":"Query Parameter Audits of Personally Identifiable Information","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-12"},{"control_id":"AU-13","title":"Monitoring for Information Disclosure","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-13.1","title":"Use of Automated Tools","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-13"},{"control_id":"AU-13.2","title":"Review of Monitored Sites","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-13"},{"control_id":"AU-13.3","title":"Unauthorized Replication of Information","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-13"},{"control_id":"AU-14","title":"Session Audit","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-14.1","title":"System Start-up","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-14"},{"control_id":"AU-14.2","title":"Capture and Record Content","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-14"},{"control_id":"AU-14.3","title":"Remote Viewing and Listening","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-14"},{"control_id":"AU-15","title":"Alternate Audit Logging Capability","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-16","title":"Cross-organizational Audit Logging","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-16.1","title":"Identity Preservation","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-16"},{"control_id":"AU-16.2","title":"Sharing of Audit Information","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-16"},{"control_id":"AU-16.3","title":"Disassociability","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-16"},{"control_id":"AU-2","title":"Event Logging","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-2.1","title":"Compilation of Audit Records from Multiple Sources","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-2"},{"control_id":"AU-2.2","title":"Selection of Audit Events by Component","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-2"},{"control_id":"AU-2.3","title":"Reviews and Updates","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-2"},{"control_id":"AU-2.4","title":"Privileged Functions","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-2"},{"control_id":"AU-3","title":"Content of Audit Records","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-3.1","title":"Additional Audit Information","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-3"},{"control_id":"AU-3.2","title":"Centralized Management of Planned Audit Record Content","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-3"},{"control_id":"AU-3.3","title":"Limit Personally Identifiable Information Elements","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-3"},{"control_id":"AU-4","title":"Audit Log Storage Capacity","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-4.1","title":"Transfer to Alternate Storage","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-4"},{"control_id":"AU-5","title":"Response to Audit Logging Process Failures","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-5.1","title":"Storage Capacity Warning","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-5"},{"control_id":"AU-5.2","title":"Real-time Alerts","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-5"},{"control_id":"AU-5.3","title":"Configurable Traffic Volume Thresholds","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-5"},{"control_id":"AU-5.4","title":"Shutdown on Failure","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-5"},{"control_id":"AU-5.5","title":"Alternate Audit Logging Capability","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-5"},{"control_id":"AU-6","title":"Audit Record Review, Analysis, and Reporting","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-6.1","title":"Automated Process Integration","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.10","title":"Audit Level Adjustment","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.2","title":"Automated Security Alerts","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.3","title":"Correlate Audit Record Repositories","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.4","title":"Central Review and Analysis","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.5","title":"Integrated Analysis of Audit Records","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.6","title":"Correlation with Physical Monitoring","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.7","title":"Permitted Actions","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.8","title":"Full Text Analysis of Privileged Commands","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-6.9","title":"Correlation with Information from Nontechnical Sources","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-6"},{"control_id":"AU-7","title":"Audit Record Reduction and Report Generation","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-7.1","title":"Automatic Processing","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-7"},{"control_id":"AU-7.2","title":"Automatic Sort and Search","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-7"},{"control_id":"AU-8","title":"Time Stamps","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-8.1","title":"Synchronization with Authoritative Time Source","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-8"},{"control_id":"AU-8.2","title":"Secondary Authoritative Time Source","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-8"},{"control_id":"AU-9","title":"Protection of Audit Information","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"AU-9.1","title":"Hardware Write-once Media","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"AU-9.2","title":"Store on Separate Physical Systems or Components","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"AU-9.3","title":"Cryptographic Protection","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"AU-9.4","title":"Access by Subset of Privileged Users","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"AU-9.5","title":"Dual Authorization","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"AU-9.6","title":"Read-only Access","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"AU-9.7","title":"Store on Component with Different Operating System","family":"AU","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"AU-9"},{"control_id":"CA-02","title":"Control Assessments","family":"CA","techniques":[{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"}],"technique_count":5,"detectable_count":5,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"CA-03","title":"Information Exchange","family":"CA","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":7,"detectable_count":5,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"CA-07","title":"Continuous Monitoring","family":"CA","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1555.002","name":"Securityd Memory","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.010","name":"Process Argument Spoofing","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1056.002","name":"GUI Input Capture","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1201","name":"Password Policy Discovery","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.001","name":"Keychain","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1564.004","name":"NTFS File Attributes","detectable":true,"detections":"Sigma, CAR"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":210,"detectable_count":143,"coverage_pct":68,"has_mapping":true,"is_enhancement":false},{"control_id":"CA-1","title":"Policy and Procedures","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-2","title":"Control Assessments","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-2.1","title":"Independent Assessors","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-2"},{"control_id":"CA-2.2","title":"Specialized Assessments","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-2"},{"control_id":"CA-2.3","title":"Leveraging Results from External Organizations","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-2"},{"control_id":"CA-3","title":"Information Exchange","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-3.1","title":"Unclassified National Security System Connections","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-3.2","title":"Classified National Security System Connections","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-3.3","title":"Unclassified Non-national Security System Connections","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-3.4","title":"Connections to Public Networks","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-3.5","title":"Restrictions on External System Connections","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-3.6","title":"Transfer Authorizations","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-3.7","title":"Transitive Information Exchanges","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-3"},{"control_id":"CA-4","title":"Security Certification","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-5","title":"Plan of Action and Milestones","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-5.1","title":"Automation Support for Accuracy and Currency","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-5"},{"control_id":"CA-6","title":"Authorization","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-6.1","title":"Joint Authorization — Intra-organization","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-6"},{"control_id":"CA-6.2","title":"Joint Authorization — Inter-organization","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-6"},{"control_id":"CA-7","title":"Continuous Monitoring","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-7.1","title":"Independent Assessment","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-7"},{"control_id":"CA-7.2","title":"Types of Assessments","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-7"},{"control_id":"CA-7.3","title":"Trend Analyses","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-7"},{"control_id":"CA-7.4","title":"Risk Monitoring","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-7"},{"control_id":"CA-7.5","title":"Consistency Analysis","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-7"},{"control_id":"CA-7.6","title":"Automation Support for Monitoring","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-7"},{"control_id":"CA-8","title":"Penetration Testing","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-8.1","title":"Independent Penetration Testing Agent or Team","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-8"},{"control_id":"CA-8.2","title":"Red Team Exercises","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-8"},{"control_id":"CA-8.3","title":"Facility Penetration Testing","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-8"},{"control_id":"CA-9","title":"Internal System Connections","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CA-9.1","title":"Compliance Checks","family":"CA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CA-9"},{"control_id":"CM-02","title":"Baseline Configuration","family":"CM","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1216.002","name":"SyncAppvPublishingServer","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.007","name":"VBA Stomping","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127.001","name":"MSBuild","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1201","name":"Password Policy Discovery","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1546.014","name":"Emond","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1555.004","name":"Windows Credential Manager","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560","name":"Archive Collected Data","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560.001","name":"Archive via Utility","detectable":true,"detections":"Sigma, CAR"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"},{"id":"T1653","name":"Power Settings","detectable":true,"detections":"Sigma"}],"technique_count":287,"detectable_count":200,"coverage_pct":69,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-03","title":"Configuration Change Control","family":"CM","techniques":[{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1653","name":"Power Settings","detectable":true,"detections":"Sigma"}],"technique_count":35,"detectable_count":14,"coverage_pct":40,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-05","title":"Access Restrictions for Change","family":"CM","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.011","name":"Spoof Security Alerting","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.011","name":"Services Registry Permissions Weakness","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":162,"detectable_count":111,"coverage_pct":68,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-06","title":"Configuration Settings","family":"CM","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1216.002","name":"SyncAppvPublishingServer","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1562.011","name":"Spoof Security Alerting","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.007","name":"VBA Stomping","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127.001","name":"MSBuild","detectable":true,"detections":"Sigma, CAR"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1135","name":"Network Share Discovery","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1201","name":"Password Policy Discovery","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1546.014","name":"Emond","detectable":true,"detections":"Sigma"},{"id":"T1547.002","name":"Authentication Package","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.005","name":"Security Support Provider","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.001","name":"Setuid and Setgid","detectable":true,"detections":"Sigma, Falco"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1555.004","name":"Windows Credential Manager","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.002","name":"Password Filter DLL","detectable":true,"detections":"Sigma"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":344,"detectable_count":243,"coverage_pct":70,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-07","title":"Least Functionality","family":"CM","techniques":[{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1216.002","name":"SyncAppvPublishingServer","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1112","name":"Modify Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1135","name":"Network Share Discovery","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.009","name":"AppCert DLLs","detectable":true,"detections":"Sigma"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.001","name":"Setuid and Setgid","detectable":true,"detections":"Sigma, Falco"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1555.004","name":"Windows Credential Manager","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.002","name":"Password Filter DLL","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1564.003","name":"Hidden Window","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"},{"id":"T1653","name":"Power Settings","detectable":true,"detections":"Sigma"}],"technique_count":225,"detectable_count":161,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-08","title":"System Component Inventory","family":"CM","techniques":[{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.007","name":"VBA Stomping","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127.001","name":"MSBuild","detectable":true,"detections":"Sigma, CAR"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.014","name":"Emond","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1593.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":101,"detectable_count":66,"coverage_pct":65,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-1","title":"Policy and Procedures","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-10","title":"Software Usage Restrictions","family":"CM","techniques":[{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"}],"technique_count":9,"detectable_count":8,"coverage_pct":88,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-10.1","title":"Open-source Software","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-10"},{"control_id":"CM-11","title":"User-installed Software","family":"CM","techniques":[{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"}],"technique_count":33,"detectable_count":28,"coverage_pct":84,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-11.1","title":"Alerts for Unauthorized Installations","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-11"},{"control_id":"CM-11.2","title":"Software Installation with Privileged Status","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-11"},{"control_id":"CM-11.3","title":"Automated Enforcement and Monitoring","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-11"},{"control_id":"CM-12","title":"Information Location","family":"CM","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"}],"technique_count":2,"detectable_count":1,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"CM-12.1","title":"Automated Tools to Support Information Location","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-12"},{"control_id":"CM-13","title":"Data Action Mapping","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-14","title":"Signed Components","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-2","title":"Baseline Configuration","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-2.1","title":"Reviews and Updates","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-2.2","title":"Automation Support for Accuracy and Currency","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-2.3","title":"Retention of Previous Configurations","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-2.4","title":"Unauthorized Software","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-2.5","title":"Authorized Software","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-2.6","title":"Development and Test Environments","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-2.7","title":"Configure Systems and Components for High-risk Areas","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-2"},{"control_id":"CM-3","title":"Configuration Change Control","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-3.1","title":"Automated Documentation, Notification, and Prohibition of Changes","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.2","title":"Testing, Validation, and Documentation of Changes","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.3","title":"Automated Change Implementation","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.4","title":"Security and Privacy Representatives","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.5","title":"Automated Security Response","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.6","title":"Cryptography Management","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.7","title":"Review System Changes","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-3.8","title":"Prevent or Restrict Configuration Changes","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-3"},{"control_id":"CM-4","title":"Impact Analyses","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-4.1","title":"Separate Test Environments","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-4"},{"control_id":"CM-4.2","title":"Verification of Controls","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-4"},{"control_id":"CM-5","title":"Access Restrictions for Change","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-5.1","title":"Automated Access Enforcement and Audit Records","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-5.2","title":"Review System Changes","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-5.3","title":"Signed Components","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-5.4","title":"Dual Authorization","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-5.5","title":"Privilege Limitation for Production and Operation","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-5.6","title":"Limit Library Privileges","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-5.7","title":"Automatic Implementation of Security Safeguards","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-5"},{"control_id":"CM-6","title":"Configuration Settings","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-6.1","title":"Automated Management, Application, and Verification","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-6"},{"control_id":"CM-6.2","title":"Respond to Unauthorized Changes","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-6"},{"control_id":"CM-6.3","title":"Unauthorized Change Detection","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-6"},{"control_id":"CM-6.4","title":"Conformance Demonstration","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-6"},{"control_id":"CM-7","title":"Least Functionality","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-7.1","title":"Periodic Review","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.2","title":"Prevent Program Execution","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.3","title":"Registration Compliance","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.4","title":"Unauthorized Software — Deny-by-exception","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.5","title":"Authorized Software — Allow-by-exception","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.6","title":"Confined Environments with Limited Privileges","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.7","title":"Code Execution in Protected Environments","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.8","title":"Binary or Machine Executable Code","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-7.9","title":"Prohibiting The Use of Unauthorized Hardware","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-7"},{"control_id":"CM-8","title":"System Component Inventory","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-8.1","title":"Updates During Installation and Removal","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.2","title":"Automated Maintenance","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.3","title":"Automated Unauthorized Component Detection","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.4","title":"Accountability Information","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.5","title":"No Duplicate Accounting of Components","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.6","title":"Assessed Configurations and Approved Deviations","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.7","title":"Centralized Repository","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.8","title":"Automated Location Tracking","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-8.9","title":"Assignment of Components to Systems","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-8"},{"control_id":"CM-9","title":"Configuration Management Plan","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CM-9.1","title":"Assignment of Responsibility","family":"CM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CM-9"},{"control_id":"CP-02","title":"Contingency Plan","family":"CP","techniques":[{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"}],"technique_count":9,"detectable_count":6,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"CP-06","title":"Alternate Storage Site","family":"CP","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":6,"coverage_pct":75,"has_mapping":true,"is_enhancement":false},{"control_id":"CP-07","title":"Alternate Processing Site","family":"CP","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":16,"detectable_count":11,"coverage_pct":68,"has_mapping":true,"is_enhancement":false},{"control_id":"CP-09","title":"System Backup","family":"CP","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":22,"detectable_count":14,"coverage_pct":63,"has_mapping":true,"is_enhancement":false},{"control_id":"CP-1","title":"Policy and Procedures","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-10","title":"System Recovery and Reconstitution","family":"CP","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":8,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"CP-10.1","title":"Contingency Plan Testing","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-10"},{"control_id":"CP-10.2","title":"Transaction Recovery","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-10"},{"control_id":"CP-10.3","title":"Compensating Security Controls","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-10"},{"control_id":"CP-10.4","title":"Restore Within Time Period","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-10"},{"control_id":"CP-10.5","title":"Failover Capability","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-10"},{"control_id":"CP-10.6","title":"Component Protection","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-10"},{"control_id":"CP-11","title":"Alternate Communications Protocols","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-12","title":"Safe Mode","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-13","title":"Alternative Security Mechanisms","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-2","title":"Contingency Plan","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-2.1","title":"Coordinate with Related Plans","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.2","title":"Capacity Planning","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.3","title":"Resume Mission and Business Functions","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.4","title":"Resume All Mission and Business Functions","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.5","title":"Continue Mission and Business Functions","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.6","title":"Alternate Processing and Storage Sites","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.7","title":"Coordinate with External Service Providers","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-2.8","title":"Identify Critical Assets","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-2"},{"control_id":"CP-3","title":"Contingency Training","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-3.1","title":"Simulated Events","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-3"},{"control_id":"CP-3.2","title":"Mechanisms Used in Training Environments","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-3"},{"control_id":"CP-4","title":"Contingency Plan Testing","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-4.1","title":"Coordinate with Related Plans","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-4"},{"control_id":"CP-4.2","title":"Alternate Processing Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-4"},{"control_id":"CP-4.3","title":"Automated Testing","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-4"},{"control_id":"CP-4.4","title":"Full Recovery and Reconstitution","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-4"},{"control_id":"CP-4.5","title":"Self-challenge","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-4"},{"control_id":"CP-5","title":"Contingency Plan Update","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-6","title":"Alternate Storage Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-6.1","title":"Separation from Primary Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-6"},{"control_id":"CP-6.2","title":"Recovery Time and Recovery Point Objectives","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-6"},{"control_id":"CP-6.3","title":"Accessibility","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-6"},{"control_id":"CP-7","title":"Alternate Processing Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-7.1","title":"Separation from Primary Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-7"},{"control_id":"CP-7.2","title":"Accessibility","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-7"},{"control_id":"CP-7.3","title":"Priority of Service","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-7"},{"control_id":"CP-7.4","title":"Preparation for Use","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-7"},{"control_id":"CP-7.5","title":"Equivalent Information Security Safeguards","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-7"},{"control_id":"CP-7.6","title":"Inability to Return to Primary Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-7"},{"control_id":"CP-8","title":"Telecommunications Services","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-8.1","title":"Priority of Service Provisions","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-8"},{"control_id":"CP-8.2","title":"Single Points of Failure","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-8"},{"control_id":"CP-8.3","title":"Separation of Primary and Alternate Providers","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-8"},{"control_id":"CP-8.4","title":"Provider Contingency Plan","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-8"},{"control_id":"CP-8.5","title":"Alternate Telecommunication Service Testing","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-8"},{"control_id":"CP-9","title":"System Backup","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"CP-9.1","title":"Testing for Reliability and Integrity","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.2","title":"Test Restoration Using Sampling","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.3","title":"Separate Storage for Critical Information","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.4","title":"Protection from Unauthorized Modification","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.5","title":"Transfer to Alternate Storage Site","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.6","title":"Redundant Secondary System","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.7","title":"Dual Authorization for Deletion or Destruction","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"CP-9.8","title":"Cryptographic Protection","family":"CP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CP-9"},{"control_id":"IA-02","title":"Identification and Authentication (Organizational Users)","family":"IA","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1056.003","name":"Web Portal Capture","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1543.005","name":"Container Service","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.002","name":"Create Process with Token","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.007","name":"Msiexec","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.001","name":"Launch Agent","detectable":true,"detections":"Sigma"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1543.003","name":"Windows Service","detectable":true,"detections":"Sigma, CAR"},{"id":"T1543.004","name":"Launch Daemon","detectable":true,"detections":"Sigma"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.001","name":"Launchctl","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1580","name":"Cloud Infrastructure Discovery","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":173,"detectable_count":126,"coverage_pct":72,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-03","title":"Device Identification and Authentication","family":"IA","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":4,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-04","title":"Identifier Management","family":"IA","techniques":[{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"}],"technique_count":36,"detectable_count":22,"coverage_pct":61,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-05","title":"Authenticator Management","family":"IA","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1555.002","name":"Securityd Memory","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.005","name":"Reversible Encryption","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1558.001","name":"Golden Ticket","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.001","name":"Keychain","detectable":true,"detections":"Sigma"},{"id":"T1555.004","name":"Windows Credential Manager","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":72,"detectable_count":48,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-06","title":"Authentication Feedback","family":"IA","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":4,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-07","title":"Cryptographic Module Authentication","family":"IA","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":12,"detectable_count":4,"coverage_pct":33,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-08","title":"Identification and Authentication (Non-Organizational Users)","family":"IA","techniques":[{"id":"T1053.007","name":"Container Orchestration Job","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"}],"technique_count":22,"detectable_count":12,"coverage_pct":54,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-09","title":"Service Identification and Authentication","family":"IA","techniques":[{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"}],"technique_count":22,"detectable_count":16,"coverage_pct":72,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-1","title":"Policy and Procedures","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-10","title":"Adaptive Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-11","title":"Re-authentication","family":"IA","techniques":[{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":4,"coverage_pct":57,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-12","title":"Identity Proofing","family":"IA","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-12.1","title":"Supervisor Authorization","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-12"},{"control_id":"IA-12.2","title":"Identity Evidence","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-12"},{"control_id":"IA-12.3","title":"Identity Evidence Validation and Verification","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-12"},{"control_id":"IA-12.4","title":"In-person Validation and Verification","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-12"},{"control_id":"IA-12.5","title":"Address Confirmation","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-12"},{"control_id":"IA-12.6","title":"Accept Externally-proofed Identities","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-12"},{"control_id":"IA-13","title":"Identity Providers and Authorization Servers","family":"IA","techniques":[{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1134.001","name":"Token Impersonation/Theft","detectable":true,"detections":"Sigma"},{"id":"T1134.003","name":"Make and Impersonate Token","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606.002","name":"SAML Tokens","detectable":true,"detections":"CAR"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":17,"detectable_count":14,"coverage_pct":82,"has_mapping":true,"is_enhancement":false},{"control_id":"IA-13.1","title":"Protection of Cryptographic Keys","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-13"},{"control_id":"IA-13.2","title":"Verification of Identity Assertions and Access Tokens","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-13"},{"control_id":"IA-13.3","title":"Token Management","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-13"},{"control_id":"IA-2","title":"Identification and Authentication (Organizational Users)","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-2.1","title":"Multi-factor Authentication to Privileged Accounts","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.10","title":"Single Sign-on","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.11","title":"Remote Access — Separate Device","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.12","title":"Acceptance of PIV Credentials","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.13","title":"Out-of-band Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.2","title":"Multi-factor Authentication to Non-privileged Accounts","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.3","title":"Local Access to Privileged Accounts","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.4","title":"Local Access to Non-privileged Accounts","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.5","title":"Individual Authentication with Group Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.6","title":"Access to Accounts —separate Device","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.7","title":"Network Access to Non-privileged Accounts — Separate Device","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.8","title":"Access to Accounts — Replay Resistant","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-2.9","title":"Network Access to Non-privileged Accounts — Replay Resistant","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-2"},{"control_id":"IA-3","title":"Device Identification and Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-3.1","title":"Cryptographic Bidirectional Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-3"},{"control_id":"IA-3.2","title":"Cryptographic Bidirectional Network Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-3"},{"control_id":"IA-3.3","title":"Dynamic Address Allocation","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-3"},{"control_id":"IA-3.4","title":"Device Attestation","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-3"},{"control_id":"IA-4","title":"Identifier Management","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-4.1","title":"Prohibit Account Identifiers as Public Identifiers","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.2","title":"Supervisor Authorization","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.3","title":"Multiple Forms of Certification","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.4","title":"Identify User Status","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.5","title":"Dynamic Management","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.6","title":"Cross-organization Management","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.7","title":"In-person Registration","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.8","title":"Pairwise Pseudonymous Identifiers","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-4.9","title":"Attribute Maintenance and Protection","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-4"},{"control_id":"IA-5","title":"Authenticator Management","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-5.1","title":"Password-based Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.10","title":"Dynamic Credential Binding","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.11","title":"Hardware Token-based Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.12","title":"Biometric Authentication Performance","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.13","title":"Expiration of Cached Authenticators","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.14","title":"Managing Content of PKI Trust Stores","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.15","title":"GSA-approved Products and Services","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.16","title":"In-person or Trusted External Party Authenticator Issuance","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.17","title":"Presentation Attack Detection for Biometric Authenticators","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.18","title":"Password Managers","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.2","title":"Public Key-based Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.3","title":"In-person or Trusted External Party Registration","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.4","title":"Automated Support for Password Strength Determination","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.5","title":"Change Authenticators Prior to Delivery","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.6","title":"Protection of Authenticators","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.7","title":"No Embedded Unencrypted Static Authenticators","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.8","title":"Multiple System Accounts","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-5.9","title":"Federated Credential Management","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-5"},{"control_id":"IA-6","title":"Authentication Feedback","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-7","title":"Cryptographic Module Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-8","title":"Identification and Authentication (Non-organizational Users)","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-8.1","title":"Acceptance of PIV Credentials from Other Agencies","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-8"},{"control_id":"IA-8.2","title":"Acceptance of External Authenticators","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-8"},{"control_id":"IA-8.3","title":"Use of FICAM-approved Products","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-8"},{"control_id":"IA-8.4","title":"Use of Defined Profiles","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-8"},{"control_id":"IA-8.5","title":"Acceptance of PIV-I Credentials","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-8"},{"control_id":"IA-8.6","title":"Disassociability","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-8"},{"control_id":"IA-9","title":"Service Identification and Authentication","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IA-9.1","title":"Information Exchange","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-9"},{"control_id":"IA-9.2","title":"Transmission of Decisions","family":"IA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IA-9"},{"control_id":"IR-1","title":"Policy and Procedures","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-10","title":"Integrated Information Security Analysis Team","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-2","title":"Incident Response Training","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-2.1","title":"Simulated Events","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-2"},{"control_id":"IR-2.2","title":"Automated Training Environments","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-2"},{"control_id":"IR-2.3","title":"Breach","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-2"},{"control_id":"IR-3","title":"Incident Response Testing","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-3.1","title":"Automated Testing","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-3"},{"control_id":"IR-3.2","title":"Coordination with Related Plans","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-3"},{"control_id":"IR-3.3","title":"Continuous Improvement","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-3"},{"control_id":"IR-4","title":"Incident Handling","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-4.1","title":"Automated Incident Handling Processes","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.10","title":"Supply Chain Coordination","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.11","title":"Integrated Incident Response Team","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.12","title":"Malicious Code and Forensic Analysis","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.13","title":"Behavior Analysis","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.14","title":"Security Operations Center","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.15","title":"Public Relations and Reputation Repair","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.2","title":"Dynamic Reconfiguration","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.3","title":"Continuity of Operations","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.4","title":"Information Correlation","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.5","title":"Automatic Disabling of System","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.6","title":"Insider Threats","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.7","title":"Insider Threats — Intra-organization Coordination","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.8","title":"Correlation with External Organizations","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-4.9","title":"Dynamic Response Capability","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-4"},{"control_id":"IR-5","title":"Incident Monitoring","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-5.1","title":"Automated Tracking, Data Collection, and Analysis","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-5"},{"control_id":"IR-6","title":"Incident Reporting","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-6.1","title":"Automated Reporting","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-6"},{"control_id":"IR-6.2","title":"Vulnerabilities Related to Incidents","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-6"},{"control_id":"IR-6.3","title":"Supply Chain Coordination","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-6"},{"control_id":"IR-7","title":"Incident Response Assistance","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-7.1","title":"Automation Support for Availability of Information and Support","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-7"},{"control_id":"IR-7.2","title":"Coordination with External Providers","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-7"},{"control_id":"IR-8","title":"Incident Response Plan","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-8.1","title":"Breaches","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-8"},{"control_id":"IR-9","title":"Information Spillage Response","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"IR-9.1","title":"Responsible Personnel","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-9"},{"control_id":"IR-9.2","title":"Training","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-9"},{"control_id":"IR-9.3","title":"Post-spill Operations","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-9"},{"control_id":"IR-9.4","title":"Exposure to Unauthorized Personnel","family":"IR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"IR-9"},{"control_id":"MA-1","title":"Policy and Procedures","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MA-2","title":"Controlled Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MA-2.1","title":"Record Content","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-2"},{"control_id":"MA-2.2","title":"Automated Maintenance Activities","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-2"},{"control_id":"MA-3","title":"Maintenance Tools","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MA-3.1","title":"Inspect Tools","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-3"},{"control_id":"MA-3.2","title":"Inspect Media","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-3"},{"control_id":"MA-3.3","title":"Prevent Unauthorized Removal","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-3"},{"control_id":"MA-3.4","title":"Restricted Tool Use","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-3"},{"control_id":"MA-3.5","title":"Execution with Privilege","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-3"},{"control_id":"MA-3.6","title":"Software Updates and Patches","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-3"},{"control_id":"MA-4","title":"Nonlocal Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MA-4.1","title":"Logging and Review","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-4.2","title":"Document Nonlocal Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-4.3","title":"Comparable Security and Sanitization","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-4.4","title":"Authentication and Separation of Maintenance Sessions","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-4.5","title":"Approvals and Notifications","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-4.6","title":"Cryptographic Protection","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-4.7","title":"Disconnect Verification","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-4"},{"control_id":"MA-5","title":"Maintenance Personnel","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MA-5.1","title":"Individuals Without Appropriate Access","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-5"},{"control_id":"MA-5.2","title":"Security Clearances for Classified Systems","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-5"},{"control_id":"MA-5.3","title":"Citizenship Requirements for Classified Systems","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-5"},{"control_id":"MA-5.4","title":"Foreign Nationals","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-5"},{"control_id":"MA-5.5","title":"Non-system Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-5"},{"control_id":"MA-6","title":"Timely Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MA-6.1","title":"Preventive Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-6"},{"control_id":"MA-6.2","title":"Predictive Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-6"},{"control_id":"MA-6.3","title":"Automated Support for Predictive Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MA-6"},{"control_id":"MA-7","title":"Field Maintenance","family":"MA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-07","title":"Media Use","family":"MP","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"}],"technique_count":6,"detectable_count":2,"coverage_pct":33,"has_mapping":true,"is_enhancement":false},{"control_id":"MP-1","title":"Policy and Procedures","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-2","title":"Media Access","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-2.1","title":"Automated Restricted Access","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-2"},{"control_id":"MP-2.2","title":"Cryptographic Protection","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-2"},{"control_id":"MP-3","title":"Media Marking","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-4","title":"Media Storage","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-4.1","title":"Cryptographic Protection","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-4"},{"control_id":"MP-4.2","title":"Automated Restricted Access","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-4"},{"control_id":"MP-5","title":"Media Transport","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-5.1","title":"Protection Outside of Controlled Areas","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-5"},{"control_id":"MP-5.2","title":"Documentation of Activities","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-5"},{"control_id":"MP-5.3","title":"Custodians","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-5"},{"control_id":"MP-5.4","title":"Cryptographic Protection","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-5"},{"control_id":"MP-6","title":"Media Sanitization","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-6.1","title":"Review, Approve, Track, Document, and Verify","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.2","title":"Equipment Testing","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.3","title":"Nondestructive Techniques","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.4","title":"Controlled Unclassified Information","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.5","title":"Classified Information","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.6","title":"Media Destruction","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.7","title":"Dual Authorization","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-6.8","title":"Remote Purging or Wiping of Information","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-6"},{"control_id":"MP-7","title":"Media Use","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-7.1","title":"Prohibit Use Without Owner","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-7"},{"control_id":"MP-7.2","title":"Prohibit Use of Sanitization-resistant Media","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-7"},{"control_id":"MP-8","title":"Media Downgrading","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"MP-8.1","title":"Documentation of Process","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-8"},{"control_id":"MP-8.2","title":"Equipment Testing","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-8"},{"control_id":"MP-8.3","title":"Controlled Unclassified Information","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-8"},{"control_id":"MP-8.4","title":"Classified Information","family":"MP","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"MP-8"},{"control_id":"PE-1","title":"Policy and Procedures","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-10","title":"Emergency Shutoff","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-10.1","title":"Accidental and Unauthorized Activation","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-10"},{"control_id":"PE-11","title":"Emergency Power","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-11.1","title":"Alternate Power Supply — Minimal Operational Capability","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-11"},{"control_id":"PE-11.2","title":"Alternate Power Supply — Self-contained","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-11"},{"control_id":"PE-12","title":"Emergency Lighting","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-12.1","title":"Essential Mission and Business Functions","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-12"},{"control_id":"PE-13","title":"Fire Protection","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-13.1","title":"Detection Systems — Automatic Activation and Notification","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-13"},{"control_id":"PE-13.2","title":"Suppression Systems — Automatic Activation and Notification","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-13"},{"control_id":"PE-13.3","title":"Automatic Fire Suppression","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-13"},{"control_id":"PE-13.4","title":"Inspections","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-13"},{"control_id":"PE-14","title":"Environmental Controls","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-14.1","title":"Automatic Controls","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-14"},{"control_id":"PE-14.2","title":"Monitoring with Alarms and Notifications","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-14"},{"control_id":"PE-15","title":"Water Damage Protection","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-15.1","title":"Automation Support","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-15"},{"control_id":"PE-16","title":"Delivery and Removal","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-17","title":"Alternate Work Site","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-18","title":"Location of System Components","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-18.1","title":"Facility Site","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-18"},{"control_id":"PE-19","title":"Information Leakage","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-19.1","title":"National Emissions Policies and Procedures","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-19"},{"control_id":"PE-2","title":"Physical Access Authorizations","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-2.1","title":"Access by Position or Role","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-2"},{"control_id":"PE-2.2","title":"Two Forms of Identification","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-2"},{"control_id":"PE-2.3","title":"Restrict Unescorted Access","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-2"},{"control_id":"PE-20","title":"Asset Monitoring and Tracking","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-21","title":"Electromagnetic Pulse Protection","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-22","title":"Component Marking","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-23","title":"Facility Location","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-3","title":"Physical Access Control","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-3.1","title":"System Access","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.2","title":"Facility and Systems","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.3","title":"Continuous Guards","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.4","title":"Lockable Casings","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.5","title":"Tamper Protection","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.6","title":"Facility Penetration Testing","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.7","title":"Physical Barriers","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-3.8","title":"Access Control Vestibules","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-3"},{"control_id":"PE-4","title":"Access Control for Transmission","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-5","title":"Access Control for Output Devices","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-5.1","title":"Access to Output by Authorized Individuals","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-5"},{"control_id":"PE-5.2","title":"Link to Individual Identity","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-5"},{"control_id":"PE-5.3","title":"Marking Output Devices","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-5"},{"control_id":"PE-6","title":"Monitoring Physical Access","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-6.1","title":"Intrusion Alarms and Surveillance Equipment","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-6"},{"control_id":"PE-6.2","title":"Automated Intrusion Recognition and Responses","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-6"},{"control_id":"PE-6.3","title":"Video Surveillance","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-6"},{"control_id":"PE-6.4","title":"Monitoring Physical Access to Systems","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-6"},{"control_id":"PE-7","title":"Visitor Control","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-8","title":"Visitor Access Records","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-8.1","title":"Automated Records Maintenance and Review","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-8"},{"control_id":"PE-8.2","title":"Physical Access Records","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-8"},{"control_id":"PE-8.3","title":"Limit Personally Identifiable Information Elements","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-8"},{"control_id":"PE-9","title":"Power Equipment and Cabling","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PE-9.1","title":"Redundant Cabling","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-9"},{"control_id":"PE-9.2","title":"Automatic Voltage Controls","family":"PE","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PE-9"},{"control_id":"PL-1","title":"Policy and Procedures","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-10","title":"Baseline Selection","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-11","title":"Baseline Tailoring","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-2","title":"System Security and Privacy Plans","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-2.1","title":"Concept of Operations","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PL-2"},{"control_id":"PL-2.2","title":"Functional Architecture","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PL-2"},{"control_id":"PL-2.3","title":"Plan and Coordinate with Other Organizational Entities","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PL-2"},{"control_id":"PL-3","title":"System Security Plan Update","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-4","title":"Rules of Behavior","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-4.1","title":"Social Media and External Site/Application Usage Restrictions","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PL-4"},{"control_id":"PL-5","title":"Privacy Impact Assessment","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-6","title":"Security-related Activity Planning","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-7","title":"Concept of Operations","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-8","title":"Security and Privacy Architectures","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PL-8.1","title":"Defense in Depth","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PL-8"},{"control_id":"PL-8.2","title":"Supplier Diversity","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PL-8"},{"control_id":"PL-9","title":"Central Management","family":"PL","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-1","title":"Information Security Program Plan","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-10","title":"Authorization Process","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-11","title":"Mission and Business Process Definition","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-12","title":"Insider Threat Program","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-13","title":"Security and Privacy Workforce","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-14","title":"Testing, Training, and Monitoring","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-15","title":"Security and Privacy Groups and Associations","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-16","title":"Threat Awareness Program","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-16.1","title":"Automated Means for Sharing Threat Intelligence","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PM-16"},{"control_id":"PM-17","title":"Protecting Controlled Unclassified Information on External Systems","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-18","title":"Privacy Program Plan","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-19","title":"Privacy Program Leadership Role","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-2","title":"Information Security Program Leadership Role","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-20","title":"Dissemination of Privacy Program Information","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-20.1","title":"Privacy Policies on Websites, Applications, and Digital Services","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PM-20"},{"control_id":"PM-21","title":"Accounting of Disclosures","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-22","title":"Personally Identifiable Information Quality Management","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-23","title":"Data Governance Body","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-24","title":"Data Integrity Board","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-25","title":"Minimization of Personally Identifiable Information Used in Testing, Training, and Research","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-26","title":"Complaint Management","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-27","title":"Privacy Reporting","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-28","title":"Risk Framing","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-29","title":"Risk Management Program Leadership Roles","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-3","title":"Information Security and Privacy Resources","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-30","title":"Supply Chain Risk Management Strategy","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-30.1","title":"Suppliers of Critical or Mission-essential Items","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PM-30"},{"control_id":"PM-31","title":"Continuous Monitoring Strategy","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-32","title":"Purposing","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-4","title":"Plan of Action and Milestones Process","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-5","title":"System Inventory","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-5.1","title":"Inventory of Personally Identifiable Information","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PM-5"},{"control_id":"PM-6","title":"Measures of Performance","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-7","title":"Enterprise Architecture","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-7.1","title":"Offloading","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PM-7"},{"control_id":"PM-8","title":"Critical Infrastructure Plan","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PM-9","title":"Risk Management Strategy","family":"PM","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-1","title":"Policy and Procedures","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-2","title":"Position Risk Designation","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-3","title":"Personnel Screening","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-3.1","title":"Classified Information","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-3"},{"control_id":"PS-3.2","title":"Formal Indoctrination","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-3"},{"control_id":"PS-3.3","title":"Information Requiring Special Protective Measures","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-3"},{"control_id":"PS-3.4","title":"Citizenship Requirements","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-3"},{"control_id":"PS-4","title":"Personnel Termination","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-4.1","title":"Post-employment Requirements","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-4"},{"control_id":"PS-4.2","title":"Automated Actions","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-4"},{"control_id":"PS-5","title":"Personnel Transfer","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-6","title":"Access Agreements","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-6.1","title":"Information Requiring Special Protection","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-6"},{"control_id":"PS-6.2","title":"Classified Information Requiring Special Protection","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-6"},{"control_id":"PS-6.3","title":"Post-employment Requirements","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PS-6"},{"control_id":"PS-7","title":"External Personnel Security","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-8","title":"Personnel Sanctions","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PS-9","title":"Position Descriptions","family":"PS","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-1","title":"Policy and Procedures","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-2","title":"Authority to Process Personally Identifiable Information","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-2.1","title":"Data Tagging","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-2"},{"control_id":"PT-2.2","title":"Automation","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-2"},{"control_id":"PT-3","title":"Personally Identifiable Information Processing Purposes","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-3.1","title":"Data Tagging","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-3"},{"control_id":"PT-3.2","title":"Automation","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-3"},{"control_id":"PT-4","title":"Consent","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-4.1","title":"Tailored Consent","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-4"},{"control_id":"PT-4.2","title":"Just-in-time Consent","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-4"},{"control_id":"PT-4.3","title":"Revocation","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-4"},{"control_id":"PT-5","title":"Privacy Notice","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-5.1","title":"Just-in-time Notice","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-5"},{"control_id":"PT-5.2","title":"Privacy Act Statements","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-5"},{"control_id":"PT-6","title":"System of Records Notice","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-6.1","title":"Routine Uses","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-6"},{"control_id":"PT-6.2","title":"Exemption Rules","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-6"},{"control_id":"PT-7","title":"Specific Categories of Personally Identifiable Information","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"PT-7.1","title":"Social Security Numbers","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-7"},{"control_id":"PT-7.2","title":"First Amendment Information","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PT-7"},{"control_id":"PT-8","title":"Computer Matching Requirements","family":"PT","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-05","title":"Vulnerability Monitoring and Scanning","family":"RA","techniques":[{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127.001","name":"MSBuild","detectable":true,"detections":"Sigma, CAR"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.014","name":"Emond","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560","name":"Archive Collected Data","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560.001","name":"Archive via Utility","detectable":true,"detections":"Sigma, CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"}],"technique_count":107,"detectable_count":80,"coverage_pct":74,"has_mapping":true,"is_enhancement":false},{"control_id":"RA-09","title":"Criticality Analysis","family":"RA","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":12,"detectable_count":4,"coverage_pct":33,"has_mapping":true,"is_enhancement":false},{"control_id":"RA-1","title":"Policy and Procedures","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-10","title":"Threat Hunting","family":"RA","techniques":[{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":8,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"RA-2","title":"Security Categorization","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-2.1","title":"Impact-level Prioritization","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-2"},{"control_id":"RA-3","title":"Risk Assessment","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-3.1","title":"Supply Chain Risk Assessment","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-3"},{"control_id":"RA-3.2","title":"Use of All-source Intelligence","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-3"},{"control_id":"RA-3.3","title":"Dynamic Threat Awareness","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-3"},{"control_id":"RA-3.4","title":"Predictive Cyber Analytics","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-3"},{"control_id":"RA-4","title":"Risk Assessment Update","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-5","title":"Vulnerability Monitoring and Scanning","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-5.1","title":"Update Tool Capability","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.10","title":"Correlate Scanning Information","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.11","title":"Public Disclosure Program","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.2","title":"Update Vulnerabilities to Be Scanned","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.3","title":"Breadth and Depth of Coverage","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.4","title":"Discoverable Information","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.5","title":"Privileged Access","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.6","title":"Automated Trend Analyses","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.7","title":"Automated Detection and Notification of Unauthorized Components","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.8","title":"Review Historic Audit Logs","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-5.9","title":"Penetration Testing and Analyses","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"RA-5"},{"control_id":"RA-6","title":"Technical Surveillance Countermeasures Survey","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-7","title":"Risk Response","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-8","title":"Privacy Impact Assessments","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"RA-9","title":"Criticality Analysis","family":"RA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-03","title":"System Development Life Cycle","family":"SA","techniques":[{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"}],"technique_count":6,"detectable_count":5,"coverage_pct":83,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-04","title":"Acquisition Process","family":"SA","techniques":[{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"}],"technique_count":6,"detectable_count":5,"coverage_pct":83,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-08","title":"Security and Privacy Engineering Principles","family":"SA","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":20,"detectable_count":13,"coverage_pct":65,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-09","title":"External System Services","family":"SA","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":6,"detectable_count":5,"coverage_pct":83,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-1","title":"Policy and Procedures","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-10","title":"Developer Configuration Management","family":"SA","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":27,"detectable_count":15,"coverage_pct":55,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-10.1","title":"Software and Firmware Integrity Verification","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-10.2","title":"Alternative Configuration Management Processes","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-10.3","title":"Hardware Integrity Verification","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-10.4","title":"Trusted Generation","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-10.5","title":"Mapping Integrity for Version Control","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-10.6","title":"Trusted Distribution","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-10.7","title":"Security and Privacy Representatives","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-10"},{"control_id":"SA-11","title":"Developer Testing and Evaluation","family":"SA","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":34,"detectable_count":21,"coverage_pct":61,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-11.1","title":"Static Code Analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.2","title":"Threat Modeling and Vulnerability Analyses","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.3","title":"Independent Verification of Assessment Plans and Evidence","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.4","title":"Manual Code Reviews","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.5","title":"Penetration Testing","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.6","title":"Attack Surface Reviews","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.7","title":"Verify Scope of Testing and Evaluation","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.8","title":"Dynamic Code Analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-11.9","title":"Interactive Application Security Testing","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-11"},{"control_id":"SA-12","title":"Supply Chain Protection","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-12.1","title":"Acquisition Strategies / Tools / Methods","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.10","title":"Validate as Genuine and Not Altered","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.11","title":"Penetration Testing / Analysis of Elements, Processes, and Actors","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.12","title":"Inter-organizational Agreements","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.13","title":"Critical Information System Components","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.14","title":"Identity and Traceability","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.15","title":"Processes to Address Weaknesses or Deficiencies","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.2","title":"Supplier Reviews","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.3","title":"Trusted Shipping and Warehousing","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.4","title":"Diversity of Suppliers","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.5","title":"Limitation of Harm","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.6","title":"Minimizing Procurement Time","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.7","title":"Assessments Prior to Selection / Acceptance / Update","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.8","title":"Use of All-source Intelligence","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-12.9","title":"Operations Security","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-12"},{"control_id":"SA-13","title":"Trustworthiness","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-14","title":"Criticality Analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-14.1","title":"Critical Components with No Viable Alternative Sourcing","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-14"},{"control_id":"SA-15","title":"Development Process, Standards, and Tools","family":"SA","techniques":[{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"}],"technique_count":14,"detectable_count":12,"coverage_pct":85,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-15.1","title":"Quality Metrics","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.10","title":"Incident Response Plan","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.11","title":"Archive System or Component","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.12","title":"Minimize Personally Identifiable Information","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.13","title":"Logging Syntax","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.2","title":"Security and Privacy Tracking Tools","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.3","title":"Criticality Analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.4","title":"Threat Modeling and Vulnerability Analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.5","title":"Attack Surface Reduction","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.6","title":"Continuous Improvement","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.7","title":"Automated Vulnerability Analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.8","title":"Reuse of Threat and Vulnerability Information","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-15.9","title":"Use of Live Data","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-15"},{"control_id":"SA-16","title":"Developer-provided Training","family":"SA","techniques":[{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"}],"technique_count":3,"detectable_count":2,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-17","title":"Developer Security and Privacy Architecture and Design","family":"SA","techniques":[{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":6,"coverage_pct":85,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-17.1","title":"Formal Policy Model","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.2","title":"Security-relevant Components","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.3","title":"Formal Correspondence","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.4","title":"Informal Correspondence","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.5","title":"Conceptually Simple Design","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.6","title":"Structure for Testing","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.7","title":"Structure for Least Privilege","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.8","title":"Orchestration","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-17.9","title":"Design Diversity","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-17"},{"control_id":"SA-18","title":"Tamper Resistance and Detection","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-18.1","title":"Multiple Phases of System Development Life Cycle","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-18"},{"control_id":"SA-18.2","title":"Inspection of Systems or Components","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-18"},{"control_id":"SA-19","title":"Component Authenticity","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-19.1","title":"Anti-counterfeit Training","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-19"},{"control_id":"SA-19.2","title":"Configuration Control for Component Service and Repair","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-19"},{"control_id":"SA-19.3","title":"Component Disposal","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-19"},{"control_id":"SA-19.4","title":"Anti-counterfeit Scanning","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-19"},{"control_id":"SA-2","title":"Allocation of Resources","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-20","title":"Customized Development of Critical Components","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-21","title":"Developer Screening","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-21.1","title":"Validation of Screening","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-21"},{"control_id":"SA-22","title":"Unsupported System Components","family":"SA","techniques":[{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"}],"technique_count":6,"detectable_count":6,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SA-22.1","title":"Alternative Sources for Continued Support","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-22"},{"control_id":"SA-23","title":"Specialization","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-24","title":"Design For Cyber Resiliency","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-3","title":"System Development Life Cycle","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-3.1","title":"Manage Preproduction Environment","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-3"},{"control_id":"SA-3.2","title":"Use of Live or Operational Data","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-3"},{"control_id":"SA-3.3","title":"Technology Refresh","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-3"},{"control_id":"SA-4","title":"Acquisition Process","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-4.1","title":"Functional Properties of Controls","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.10","title":"Use of Approved PIV Products","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.11","title":"System of Records","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.12","title":"Data Ownership","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.2","title":"Design and Implementation Information for Controls","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.3","title":"Development Methods, Techniques, and Practices","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.4","title":"Assignment of Components to Systems","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.5","title":"System, Component, and Service Configurations","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.6","title":"Use of Information Assurance Products","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.7","title":"NIAP-approved Protection Profiles","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.8","title":"Continuous Monitoring Plan for Controls","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-4.9","title":"Functions, Ports, Protocols, and Services in Use","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-4"},{"control_id":"SA-5","title":"System Documentation","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-5.1","title":"Functional Properties of Security Controls","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-5"},{"control_id":"SA-5.2","title":"Security-relevant External System Interfaces","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-5"},{"control_id":"SA-5.3","title":"High-level Design","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-5"},{"control_id":"SA-5.4","title":"Low-level Design","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-5"},{"control_id":"SA-5.5","title":"Source Code","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-5"},{"control_id":"SA-6","title":"Software Usage Restrictions","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-7","title":"User-installed Software","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-8","title":"Security and Privacy Engineering Principles","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-8.1","title":"Clear Abstractions","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.10","title":"Hierarchical Trust","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.11","title":"Inverse Modification Threshold","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.12","title":"Hierarchical Protection","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.13","title":"Minimized Security Elements","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.14","title":"Least Privilege","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.15","title":"Predicate Permission","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.16","title":"Self-reliant Trustworthiness","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.17","title":"Secure Distributed Composition","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.18","title":"Trusted Communications Channels","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.19","title":"Continuous Protection","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.2","title":"Least Common Mechanism","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.20","title":"Secure Metadata Management","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.21","title":"Self-analysis","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.22","title":"Accountability and Traceability","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.23","title":"Secure Defaults","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.24","title":"Secure Failure and Recovery","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.25","title":"Economic Security","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.26","title":"Performance Security","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.27","title":"Human Factored Security","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.28","title":"Acceptable Security","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.29","title":"Repeatable and Documented Procedures","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.3","title":"Modularity and Layering","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.30","title":"Procedural Rigor","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.31","title":"Secure System Modification","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.32","title":"Sufficient Documentation","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.33","title":"Minimization","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.4","title":"Partially Ordered Dependencies","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.5","title":"Efficiently Mediated Access","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.6","title":"Minimized Sharing","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.7","title":"Reduced Complexity","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.8","title":"Secure Evolvability","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-8.9","title":"Trusted Components","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-8"},{"control_id":"SA-9","title":"External System Services","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SA-9.1","title":"Risk Assessments and Organizational Approvals","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.2","title":"Identification of Functions, Ports, Protocols, and Services","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.3","title":"Establish and Maintain Trust Relationship with Providers","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.4","title":"Consistent Interests of Consumers and Providers","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.5","title":"Processing, Storage, and Service Location","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.6","title":"Organization-controlled Cryptographic Keys","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.7","title":"Organization-controlled Integrity Checking","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SA-9.8","title":"Processing and Storage Location — U.S. Jurisdiction","family":"SA","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SA-9"},{"control_id":"SC-02","title":"Separation of System and User Functionality","family":"SC","techniques":[{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":8,"detectable_count":8,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-03","title":"Security Function Isolation","family":"SC","techniques":[{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":18,"detectable_count":15,"coverage_pct":83,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-04","title":"Information in Shared System Resources","family":"SC","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1595.003","name":"Wordlist Scanning","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":29,"detectable_count":15,"coverage_pct":51,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-05","title":"Denial-of-service Protection","family":"SC","techniques":[{"id":"T1496.003","name":"SMS Pumping","detectable":false}],"technique_count":1,"detectable_count":0,"coverage_pct":0,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-06","title":"Resource Availability","family":"SC","techniques":[{"id":"T1564.009","name":"Resource Forking","detectable":false}],"technique_count":1,"detectable_count":0,"coverage_pct":0,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-07","title":"Boundary Protection","family":"SC","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560","name":"Archive Collected Data","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560.001","name":"Archive via Utility","detectable":true,"detections":"Sigma, CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.001","name":"Exfiltration to Code Repository","detectable":true,"detections":"Sigma"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":156,"detectable_count":109,"coverage_pct":69,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-08","title":"Transmission Confidentiality and Integrity","family":"SC","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1090.004","name":"Domain Fronting","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":20,"detectable_count":11,"coverage_pct":55,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-1","title":"Policy and Procedures","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-10","title":"Network Disconnect","family":"SC","techniques":[{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":3,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-11","title":"Trusted Path","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-11.1","title":"Irrefutable Communications Path","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-11"},{"control_id":"SC-12","title":"Cryptographic Key Establishment and Management","family":"SC","techniques":[{"id":"T1521.003","name":"","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"}],"technique_count":11,"detectable_count":7,"coverage_pct":63,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-12.1","title":"Availability","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-12"},{"control_id":"SC-12.2","title":"Symmetric Keys","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-12"},{"control_id":"SC-12.3","title":"Asymmetric Keys","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-12"},{"control_id":"SC-12.4","title":"PKI Certificates","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-12"},{"control_id":"SC-12.5","title":"PKI Certificates / Hardware Tokens","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-12"},{"control_id":"SC-12.6","title":"Physical Control of Keys","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-12"},{"control_id":"SC-13","title":"Cryptographic Protection","family":"SC","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":3,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-13.1","title":"FIPS-validated Cryptography","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-13"},{"control_id":"SC-13.2","title":"NSA-approved Cryptography","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-13"},{"control_id":"SC-13.3","title":"Individuals Without Formal Access Approvals","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-13"},{"control_id":"SC-13.4","title":"Digital Signatures","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-13"},{"control_id":"SC-14","title":"Public Access Protections","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-15","title":"Collaborative Computing Devices and Applications","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-15.1","title":"Physical or Logical Disconnect","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-15"},{"control_id":"SC-15.2","title":"Blocking Inbound and Outbound Communications Traffic","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-15"},{"control_id":"SC-15.3","title":"Disabling and Removal in Secure Work Areas","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-15"},{"control_id":"SC-15.4","title":"Explicitly Indicate Current Participants","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-15"},{"control_id":"SC-16","title":"Transmission of Security and Privacy Attributes","family":"SC","techniques":[{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"}],"technique_count":5,"detectable_count":3,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-16.1","title":"Integrity Verification","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-16"},{"control_id":"SC-16.2","title":"Anti-spoofing Mechanisms","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-16"},{"control_id":"SC-16.3","title":"Cryptographic Binding","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-16"},{"control_id":"SC-17","title":"Public Key Infrastructure Certificates","family":"SC","techniques":[{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":2,"detectable_count":2,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-18","title":"Mobile Code","family":"SC","techniques":[{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"}],"technique_count":38,"detectable_count":27,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-18.1","title":"Identify Unacceptable Code and Take Corrective Actions","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-18"},{"control_id":"SC-18.2","title":"Acquisition, Development, and Use","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-18"},{"control_id":"SC-18.3","title":"Prevent Downloading and Execution","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-18"},{"control_id":"SC-18.4","title":"Prevent Automatic Execution","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-18"},{"control_id":"SC-18.5","title":"Allow Execution Only in Confined Environments","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-18"},{"control_id":"SC-19","title":"Voice Over Internet Protocol","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-2","title":"Separation of System and User Functionality","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-2.1","title":"Interfaces for Non-privileged Users","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-2"},{"control_id":"SC-2.2","title":"Disassociability","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-2"},{"control_id":"SC-20","title":"Secure Name/Address Resolution Service (Authoritative Source)","family":"SC","techniques":[{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"}],"technique_count":14,"detectable_count":9,"coverage_pct":64,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-20.1","title":"Child Subspaces","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-20"},{"control_id":"SC-20.2","title":"Data Origin and Integrity","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-20"},{"control_id":"SC-21","title":"Secure Name/Address Resolution Service (Recursive or Caching Resolver)","family":"SC","techniques":[{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":5,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-21.1","title":"Data Origin and Integrity","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-21"},{"control_id":"SC-22","title":"Architecture and Provisioning for Name/Address Resolution Service","family":"SC","techniques":[{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":5,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-23","title":"Session Authenticity","family":"SC","techniques":[{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":20,"detectable_count":11,"coverage_pct":55,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-23.1","title":"Invalidate Session Identifiers at Logout","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-23"},{"control_id":"SC-23.2","title":"User-initiated Logouts and Message Displays","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-23"},{"control_id":"SC-23.3","title":"Unique System-generated Session Identifiers","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-23"},{"control_id":"SC-23.4","title":"Unique Session Identifiers with Randomization","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-23"},{"control_id":"SC-23.5","title":"Allowed Certificate Authorities","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-23"},{"control_id":"SC-24","title":"Fail in Known State","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-25","title":"Thin Nodes","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-26","title":"Decoys","family":"SC","techniques":[{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":3,"detectable_count":3,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-26.1","title":"Detection of Malicious Code","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-26"},{"control_id":"SC-27","title":"Platform-independent Applications","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-28","title":"Protection of Information at Rest","family":"SC","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":42,"detectable_count":26,"coverage_pct":61,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-28.1","title":"Cryptographic Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-28"},{"control_id":"SC-28.2","title":"Offline Storage","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-28"},{"control_id":"SC-28.3","title":"Cryptographic Keys","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-28"},{"control_id":"SC-29","title":"Heterogeneity","family":"SC","techniques":[{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":5,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-29.1","title":"Virtualization Techniques","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-29"},{"control_id":"SC-3","title":"Security Function Isolation","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-3.1","title":"Hardware Separation","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-3"},{"control_id":"SC-3.2","title":"Access and Flow Control Functions","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-3"},{"control_id":"SC-3.3","title":"Minimize Nonsecurity Functionality","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-3"},{"control_id":"SC-3.4","title":"Module Coupling and Cohesiveness","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-3"},{"control_id":"SC-3.5","title":"Layered Structures","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-3"},{"control_id":"SC-30","title":"Concealment and Misdirection","family":"SC","techniques":[{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":7,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-30.1","title":"Virtualization Techniques","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-30"},{"control_id":"SC-30.2","title":"Randomness","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-30"},{"control_id":"SC-30.3","title":"Change Processing and Storage Locations","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-30"},{"control_id":"SC-30.4","title":"Misleading Information","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-30"},{"control_id":"SC-30.5","title":"Concealment of System Components","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-30"},{"control_id":"SC-31","title":"Covert Channel Analysis","family":"SC","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":11,"detectable_count":7,"coverage_pct":63,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-31.1","title":"Test Covert Channels for Exploitability","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-31"},{"control_id":"SC-31.2","title":"Maximum Bandwidth","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-31"},{"control_id":"SC-31.3","title":"Measure Bandwidth in Operational Environments","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-31"},{"control_id":"SC-32","title":"System Partitioning","family":"SC","techniques":[{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"}],"technique_count":1,"detectable_count":1,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-32.1","title":"Separate Physical Domains for Privileged Functions","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-32"},{"control_id":"SC-33","title":"Transmission Preparation Integrity","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-34","title":"Non-modifiable Executable Programs","family":"SC","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":15,"detectable_count":5,"coverage_pct":33,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-34.1","title":"No Writable Storage","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-34"},{"control_id":"SC-34.2","title":"Integrity Protection on Read-only Media","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-34"},{"control_id":"SC-34.3","title":"Hardware-based Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-34"},{"control_id":"SC-35","title":"External Malicious Code Identification","family":"SC","techniques":[{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":3,"detectable_count":3,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-36","title":"Distributed Processing and Storage","family":"SC","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":5,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-36.1","title":"Polling Techniques","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-36"},{"control_id":"SC-36.2","title":"Synchronization","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-36"},{"control_id":"SC-37","title":"Out-of-band Channels","family":"SC","techniques":[{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":8,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-37.1","title":"Ensure Delivery and Transmission","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-37"},{"control_id":"SC-38","title":"Operations Security","family":"SC","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"}],"technique_count":2,"detectable_count":1,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-39","title":"Process Isolation","family":"SC","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1547.002","name":"Authentication Package","detectable":true,"detections":"Sigma"},{"id":"T1547.005","name":"Security Support Provider","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":22,"detectable_count":19,"coverage_pct":86,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-39.1","title":"Hardware Separation","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-39"},{"control_id":"SC-39.2","title":"Separate Execution Domain Per Thread","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-39"},{"control_id":"SC-4","title":"Information in Shared System Resources","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-4.1","title":"Security Levels","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-4"},{"control_id":"SC-4.2","title":"Multilevel or Periods Processing","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-4"},{"control_id":"SC-40","title":"Wireless Link Protection","family":"SC","techniques":[{"id":"T1557.004","name":"Evil Twin","detectable":false}],"technique_count":1,"detectable_count":0,"coverage_pct":0,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-40.1","title":"Electromagnetic Interference","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-40"},{"control_id":"SC-40.2","title":"Reduce Detection Potential","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-40"},{"control_id":"SC-40.3","title":"Imitative or Manipulative Communications Deception","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-40"},{"control_id":"SC-40.4","title":"Signal Parameter Identification","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-40"},{"control_id":"SC-41","title":"Port and I/O Device Access","family":"SC","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":2,"coverage_pct":40,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-42","title":"Sensor Capability and Data","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-42.1","title":"Reporting to Authorized Individuals or Roles","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-42"},{"control_id":"SC-42.2","title":"Authorized Use","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-42"},{"control_id":"SC-42.3","title":"Prohibit Use of Devices","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-42"},{"control_id":"SC-42.4","title":"Notice of Collection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-42"},{"control_id":"SC-42.5","title":"Collection Minimization","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-42"},{"control_id":"SC-43","title":"Usage Restrictions","family":"SC","techniques":[{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":4,"coverage_pct":80,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-44","title":"Detonation Chambers","family":"SC","techniques":[{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"}],"technique_count":22,"detectable_count":12,"coverage_pct":54,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-45","title":"System Time Synchronization","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-45.1","title":"Synchronization with Authoritative Time Source","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-45"},{"control_id":"SC-45.2","title":"Secondary Authoritative Time Source","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-45"},{"control_id":"SC-46","title":"Cross Domain Policy Enforcement","family":"SC","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1482","name":"Domain Trust Discovery","detectable":true,"detections":"Sigma"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":27,"detectable_count":23,"coverage_pct":85,"has_mapping":true,"is_enhancement":false},{"control_id":"SC-47","title":"Alternate Communications Paths","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-48","title":"Sensor Relocation","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-48.1","title":"Dynamic Relocation of Sensors or Monitoring Capabilities","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-48"},{"control_id":"SC-49","title":"Hardware-enforced Separation and Policy Enforcement","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-5","title":"Denial-of-service Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-5.1","title":"Restrict Ability to Attack Other Systems","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-5"},{"control_id":"SC-5.2","title":"Capacity, Bandwidth, and Redundancy","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-5"},{"control_id":"SC-5.3","title":"Detection and Monitoring","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-5"},{"control_id":"SC-50","title":"Software-enforced Separation and Policy Enforcement","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-51","title":"Hardware-based Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-6","title":"Resource Availability","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-7","title":"Boundary Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-7.1","title":"Physically Separated Subnetworks","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.10","title":"Prevent Exfiltration","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.11","title":"Restrict Incoming Communications Traffic","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.12","title":"Host-based Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.13","title":"Isolation of Security Tools, Mechanisms, and Support Components","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.14","title":"Protect Against Unauthorized Physical Connections","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.15","title":"Networked Privileged Accesses","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.16","title":"Prevent Discovery of System Components","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.17","title":"Automated Enforcement of Protocol Formats","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.18","title":"Fail Secure","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.19","title":"Block Communication from Non-organizationally Configured Hosts","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.2","title":"Public Access","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.20","title":"Dynamic Isolation and Segregation","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.21","title":"Isolation of System Components","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.22","title":"Separate Subnets for Connecting to Different Security Domains","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.23","title":"Disable Sender Feedback on Protocol Validation Failure","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.24","title":"Personally Identifiable Information","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.25","title":"Unclassified National Security System Connections","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.26","title":"Classified National Security System Connections","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.27","title":"Unclassified Non-national Security System Connections","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.28","title":"Connections to Public Networks","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.29","title":"Separate Subnets to Isolate Functions","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.3","title":"Access Points","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.4","title":"External Telecommunications Services","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.5","title":"Deny by Default — Allow by Exception","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.6","title":"Response to Recognized Failures","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.7","title":"Split Tunneling for Remote Devices","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.8","title":"Route Traffic to Authenticated Proxy Servers","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-7.9","title":"Restrict Threatening Outgoing Communications Traffic","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-7"},{"control_id":"SC-8","title":"Transmission Confidentiality and Integrity","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SC-8.1","title":"Cryptographic Protection","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-8"},{"control_id":"SC-8.2","title":"Pre- and Post-transmission Handling","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-8"},{"control_id":"SC-8.3","title":"Cryptographic Protection for Message Externals","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-8"},{"control_id":"SC-8.4","title":"Conceal or Randomize Communications","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-8"},{"control_id":"SC-8.5","title":"Protected Distribution System","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SC-8"},{"control_id":"SC-9","title":"Transmission Confidentiality","family":"SC","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-02","title":"Flaw Remediation","family":"SI","techniques":[{"id":"T1027.007","name":"Dynamic API Resolution","detectable":false},{"id":"T1027.008","name":"Stripped Payloads","detectable":false},{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.011","name":"Application Shimming","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.002","name":"Pass the Hash","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":84,"detectable_count":58,"coverage_pct":69,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-03","title":"Malicious Code Protection","family":"SI","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1027.007","name":"Dynamic API Resolution","detectable":false},{"id":"T1027.008","name":"Stripped Payloads","detectable":false},{"id":"T1027.012","name":"LNK Icon Smuggling","detectable":false},{"id":"T1027.013","name":"Encrypted/Encoded File","detectable":false},{"id":"T1027.014","name":"Polymorphic Code","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1055.015","name":"ListPlanting","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1070.010","name":"Relocate Malware","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.011","name":"Spoof Security Alerting","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1564.012","name":"File/Path Exclusions","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1056.002","name":"GUI Input Capture","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1201","name":"Password Policy Discovery","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1546.014","name":"Emond","detectable":true,"detections":"Sigma"},{"id":"T1547.002","name":"Authentication Package","detectable":true,"detections":"Sigma"},{"id":"T1547.005","name":"Security Support Provider","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.001","name":"Component Object Model","detectable":true,"detections":"Sigma"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560","name":"Archive Collected Data","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560.001","name":"Archive via Utility","detectable":true,"detections":"Sigma, CAR"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1564.004","name":"NTFS File Attributes","detectable":true,"detections":"Sigma, CAR"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":226,"detectable_count":152,"coverage_pct":67,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-04","title":"System Monitoring","family":"SI","techniques":[{"id":"T1001.001","name":"Junk Data","detectable":false},{"id":"T1001.002","name":"Steganography","detectable":false},{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1011","name":"Exfiltration Over Other Network Medium","detectable":false},{"id":"T1011.001","name":"Exfiltration Over Bluetooth","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1027.007","name":"Dynamic API Resolution","detectable":false},{"id":"T1027.008","name":"Stripped Payloads","detectable":false},{"id":"T1027.011","name":"Fileless Storage","detectable":false},{"id":"T1027.012","name":"LNK Icon Smuggling","detectable":false},{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1055.002","name":"Portable Executable Injection","detectable":false},{"id":"T1055.004","name":"Asynchronous Procedure Call","detectable":false},{"id":"T1055.005","name":"Thread Local Storage","detectable":false},{"id":"T1055.013","name":"Process Doppelgänging","detectable":false},{"id":"T1055.014","name":"VDSO Hijacking","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1070.010","name":"Relocate Malware","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.007","name":"Additional Local or Domain Groups","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1205.002","name":"Socket Filters","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1546.016","name":"Installer Packages","detectable":false},{"id":"T1547.007","name":"Re-opened Applications","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1552.008","name":"Chat Messages","detectable":false},{"id":"T1555.002","name":"Securityd Memory","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1562.003","name":"Impair Command History Logging","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1562.011","name":"Spoof Security Alerting","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1564.007","name":"VBA Stomping","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1564.010","name":"Process Argument Spoofing","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1573.001","name":"Symmetric Cryptography","detectable":false},{"id":"T1573.002","name":"Asymmetric Cryptography","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1001","name":"Data Obfuscation","detectable":true,"detections":"IDS"},{"id":"T1001.003","name":"Protocol or Service Impersonation","detectable":true,"detections":"Sigma"},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1030","name":"Data Transfer Size Limits","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.003","name":"Rename Legitimate Utilities","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1036.007","name":"Double File Extension","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1053","name":"Scheduled Task/Job","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.002","name":"At","detectable":true,"detections":"Sigma, CAR"},{"id":"T1053.003","name":"Cron","detectable":true,"detections":"Sigma, Falco"},{"id":"T1053.005","name":"Scheduled Task","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055","name":"Process Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.001","name":"Dynamic-link Library Injection","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.003","name":"Thread Execution Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1055.008","name":"Ptrace System Calls","detectable":true,"detections":"Falco"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1055.011","name":"Extra Window Memory Injection","detectable":true,"detections":"Sigma"},{"id":"T1055.012","name":"Process Hollowing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1056.002","name":"GUI Input Capture","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1087.002","name":"Domain Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1102","name":"Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1102.001","name":"Dead Drop Resolver","detectable":true,"detections":"Sigma"},{"id":"T1102.002","name":"Bidirectional Communication","detectable":true,"detections":"Sigma"},{"id":"T1102.003","name":"One-Way Communication","detectable":true,"detections":"Sigma"},{"id":"T1105","name":"Ingress Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1106","name":"Native API","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1127.001","name":"MSBuild","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1135","name":"Network Share Discovery","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1201","name":"Password Policy Discovery","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1546.014","name":"Emond","detectable":true,"detections":"Sigma"},{"id":"T1547.002","name":"Authentication Package","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.005","name":"Security Support Provider","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.001","name":"Setuid and Setgid","detectable":true,"detections":"Sigma, Falco"},{"id":"T1548.002","name":"Bypass User Account Control","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548.003","name":"Sudo and Sudo Caching","detectable":true,"detections":"Sigma, Falco"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.003","name":"Pass the Ticket","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.006","name":"Group Policy Preferences","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.004","name":"Install Root Certificate","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.001","name":"Keychain","detectable":true,"detections":"Sigma"},{"id":"T1555.004","name":"Windows Credential Manager","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.002","name":"Password Filter DLL","detectable":true,"detections":"Sigma"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1559.002","name":"Dynamic Data Exchange","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560","name":"Archive Collected Data","detectable":true,"detections":"Sigma, CAR"},{"id":"T1560.001","name":"Archive via Utility","detectable":true,"detections":"Sigma, CAR"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1564.004","name":"NTFS File Attributes","detectable":true,"detections":"Sigma, CAR"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568","name":"Dynamic Resolution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1568.002","name":"Domain Generation Algorithms","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1573","name":"Encrypted Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.005","name":"Executable Installer File Permissions Weakness","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.010","name":"Services File Permissions Weakness","detectable":true,"detections":"CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"},{"id":"T1653","name":"Power Settings","detectable":true,"detections":"Sigma"}],"technique_count":375,"detectable_count":253,"coverage_pct":67,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-05","title":"Security Alerts, Advisories, and Directives","family":"SI","techniques":[{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-07","title":"Software, Firmware, and Information Integrity","family":"SI","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1027.007","name":"Dynamic API Resolution","detectable":false},{"id":"T1027.008","name":"Stripped Payloads","detectable":false},{"id":"T1036.001","name":"Invalid Code Signature","detectable":false},{"id":"T1037.002","name":"Login Hook","detectable":false},{"id":"T1037.003","name":"Network Logon Script","detectable":false},{"id":"T1037.004","name":"RC Scripts","detectable":false},{"id":"T1053.006","name":"Systemd Timers","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.010","name":"AutoHotKey \u0026 AutoIT","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1070.010","name":"Relocate Malware","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1216.002","name":"SyncAppvPublishingServer","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1556.008","name":"Network Provider DLL","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.009","name":"Safe Mode Boot","detectable":false},{"id":"T1562.010","name":"Downgrade Attack","detectable":false},{"id":"T1562.011","name":"Spoof Security Alerting","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1564.008","name":"Email Hiding Rules","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1564.010","name":"Process Argument Spoofing","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1574.004","name":"Dylib Hijacking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1027.002","name":"Software Packing","detectable":true,"detections":"Sigma"},{"id":"T1027.009","name":"Embedded Payloads","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.005","name":"Startup Items","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1056.002","name":"GUI Input Capture","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1070.003","name":"Clear Command History","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1112","name":"Modify Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1185","name":"Browser Session Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1189","name":"Drive-by Compromise","detectable":true,"detections":"Sigma, IDS"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1203","name":"Exploitation for Client Execution","detectable":true,"detections":"Sigma, IDS"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1222","name":"File and Directory Permissions Modification","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.001","name":"Windows Permissions","detectable":true,"detections":"Sigma, CAR"},{"id":"T1222.002","name":"Linux and Mac Permissions","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.004","name":"Unix Shell Configuration Modification","detectable":true,"detections":"Sigma, Falco"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.009","name":"AppCert DLLs","detectable":true,"detections":"Sigma"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.013","name":"PowerShell Profile","detectable":true,"detections":"Sigma"},{"id":"T1547.002","name":"Authentication Package","detectable":true,"detections":"Sigma"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.005","name":"Security Support Provider","detectable":true,"detections":"Sigma"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1547.008","name":"LSASS Driver","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"},{"id":"T1562.006","name":"Indicator Blocking","detectable":true,"detections":"CAR"},{"id":"T1564.003","name":"Hidden Window","detectable":true,"detections":"Sigma"},{"id":"T1564.004","name":"NTFS File Attributes","detectable":true,"detections":"Sigma, CAR"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1569","name":"System Services","detectable":true,"detections":"Sigma, CAR"},{"id":"T1569.002","name":"Service Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":209,"detectable_count":136,"coverage_pct":65,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-08","title":"Spam Protection","family":"SI","techniques":[{"id":"T1137.001","name":"Office Template Macros","detectable":false},{"id":"T1137.004","name":"Outlook Home Page","detectable":false},{"id":"T1137.005","name":"Outlook Rules","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1566.003","name":"Spearphishing via Service","detectable":false},{"id":"T1598","name":"Phishing for Information","detectable":false},{"id":"T1598.001","name":"Spearphishing Service","detectable":false},{"id":"T1598.002","name":"Spearphishing Attachment","detectable":false},{"id":"T1598.003","name":"Spearphishing Link","detectable":false},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1137.003","name":"Outlook Forms","detectable":true,"detections":"Sigma"},{"id":"T1137.006","name":"Add-ins","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.001","name":"Malicious Link","detectable":true,"detections":"Sigma"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1566","name":"Phishing","detectable":true,"detections":"Sigma, IDS"},{"id":"T1566.001","name":"Spearphishing Attachment","detectable":true,"detections":"Sigma"},{"id":"T1566.002","name":"Spearphishing Link","detectable":true,"detections":"Sigma"}],"technique_count":20,"detectable_count":11,"coverage_pct":55,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-1","title":"Policy and Procedures","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-10","title":"Information Input Validation","family":"SI","techniques":[{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.009","name":"AppCert DLLs","detectable":true,"detections":"Sigma"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1564.003","name":"Hidden Window","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":101,"detectable_count":78,"coverage_pct":77,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-10.1","title":"Manual Override Capability","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-10"},{"control_id":"SI-10.2","title":"Review and Resolve Errors","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-10"},{"control_id":"SI-10.3","title":"Predictable Behavior","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-10"},{"control_id":"SI-10.4","title":"Timing Interactions","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-10"},{"control_id":"SI-10.5","title":"Restrict Inputs to Trusted Sources and Approved Formats","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-10"},{"control_id":"SI-10.6","title":"Injection Prevention","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-10"},{"control_id":"SI-11","title":"Error Handling","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-12","title":"Information Management and Retention","family":"SI","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-12.1","title":"Limit Personally Identifiable Information Elements","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-12"},{"control_id":"SI-12.2","title":"Minimize Personally Identifiable Information in Testing, Training, and Research","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-12"},{"control_id":"SI-12.3","title":"Information Disposal","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-12"},{"control_id":"SI-13","title":"Predictable Failure Prevention","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-13.1","title":"Transferring Component Responsibilities","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-13"},{"control_id":"SI-13.2","title":"Time Limit on Process Execution Without Supervision","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-13"},{"control_id":"SI-13.3","title":"Manual Transfer Between Components","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-13"},{"control_id":"SI-13.4","title":"Standby Component Installation and Notification","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-13"},{"control_id":"SI-13.5","title":"Failover Capability","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-13"},{"control_id":"SI-14","title":"Non-persistence","family":"SI","techniques":[{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":7,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-14.1","title":"Refresh from Trusted Sources","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-14"},{"control_id":"SI-14.2","title":"Non-persistent Information","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-14"},{"control_id":"SI-14.3","title":"Non-persistent Connectivity","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-14"},{"control_id":"SI-15","title":"Information Output Filtering","family":"SI","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":42,"detectable_count":29,"coverage_pct":69,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-16","title":"Memory Protection","family":"SI","techniques":[{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1059.011","name":"Lua","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1055.009","name":"Proc Memory","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1543.002","name":"Systemd Service","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1611","name":"Escape to Host","detectable":true,"detections":"Sigma, Falco"}],"technique_count":36,"detectable_count":29,"coverage_pct":80,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-17","title":"Fail-safe Procedures","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-18","title":"Personally Identifiable Information Quality Operations","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-18.1","title":"Automation Support","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-18"},{"control_id":"SI-18.2","title":"Data Tags","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-18"},{"control_id":"SI-18.3","title":"Collection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-18"},{"control_id":"SI-18.4","title":"Individual Requests","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-18"},{"control_id":"SI-18.5","title":"Notice of Correction or Deletion","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-18"},{"control_id":"SI-19","title":"De-identification","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-19.1","title":"Collection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.2","title":"Archiving","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.3","title":"Release","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.4","title":"Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.5","title":"Statistical Disclosure Control","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.6","title":"Differential Privacy","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.7","title":"Validated Algorithms and Software","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-19.8","title":"Motivated Intruder","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-19"},{"control_id":"SI-2","title":"Flaw Remediation","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-2.1","title":"Central Management","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-2.2","title":"Automated Flaw Remediation Status","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-2.3","title":"Time to Remediate Flaws and Benchmarks for Corrective Actions","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-2.4","title":"Automated Patch Management Tools","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-2.5","title":"Automatic Software and Firmware Updates","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-2.6","title":"Removal of Previous Versions of Software and Firmware","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-2.7","title":"Root Cause Analysis","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-2"},{"control_id":"SI-20","title":"Tainting","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-21","title":"Information Refresh","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-22","title":"Information Diversity","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-23","title":"Information Fragmentation","family":"SI","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":6,"coverage_pct":85,"has_mapping":true,"is_enhancement":false},{"control_id":"SI-3","title":"Malicious Code Protection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-3.1","title":"Central Management","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.10","title":"Malicious Code Analysis","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.2","title":"Automatic Updates","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.3","title":"Non-privileged Users","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.4","title":"Updates Only by Privileged Users","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.5","title":"Portable Storage Devices","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.6","title":"Testing and Verification","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.7","title":"Nonsignature-based Detection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.8","title":"Detect Unauthorized Commands","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-3.9","title":"Authenticate Remote Commands","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-3"},{"control_id":"SI-4","title":"System Monitoring","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-4.1","title":"System-wide Intrusion Detection System","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.10","title":"Visibility of Encrypted Communications","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.11","title":"Analyze Communications Traffic Anomalies","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.12","title":"Automated Organization-generated Alerts","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.13","title":"Analyze Traffic and Event Patterns","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.14","title":"Wireless Intrusion Detection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.15","title":"Wireless to Wireline Communications","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.16","title":"Correlate Monitoring Information","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.17","title":"Integrated Situational Awareness","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.18","title":"Analyze Traffic and Covert Exfiltration","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.19","title":"Risk for Individuals","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.2","title":"Automated Tools and Mechanisms for Real-time Analysis","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.20","title":"Privileged Users","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.21","title":"Probationary Periods","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.22","title":"Unauthorized Network Services","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.23","title":"Host-based Devices","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.24","title":"Indicators of Compromise","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.25","title":"Optimize Network Traffic Analysis","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.3","title":"Automated Tool and Mechanism Integration","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.4","title":"Inbound and Outbound Communications Traffic","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.5","title":"System-generated Alerts","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.6","title":"Restrict Non-privileged Users","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.7","title":"Automated Response to Suspicious Events","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.8","title":"Protection of Monitoring Information","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-4.9","title":"Testing of Monitoring Tools and Mechanisms","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-4"},{"control_id":"SI-5","title":"Security Alerts, Advisories, and Directives","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-5.1","title":"Automated Alerts and Advisories","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-5"},{"control_id":"SI-6","title":"Security and Privacy Function Verification","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-6.1","title":"Notification of Failed Security Tests","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-6"},{"control_id":"SI-6.2","title":"Automation Support for Distributed Testing","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-6"},{"control_id":"SI-6.3","title":"Report Verification Results","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-6"},{"control_id":"SI-7","title":"Software, Firmware, and Information Integrity","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-7.1","title":"Integrity Checks","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.10","title":"Protection of Boot Firmware","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.11","title":"Confined Environments with Limited Privileges","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.12","title":"Integrity Verification","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.13","title":"Code Execution in Protected Environments","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.14","title":"Binary or Machine Executable Code","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.15","title":"Code Authentication","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.16","title":"Time Limit on Process Execution Without Supervision","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.17","title":"Runtime Application Self-protection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.2","title":"Automated Notifications of Integrity Violations","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.3","title":"Centrally Managed Integrity Tools","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.4","title":"Tamper-evident Packaging","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.5","title":"Automated Response to Integrity Violations","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.6","title":"Cryptographic Protection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.7","title":"Integration of Detection and Response","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.8","title":"Auditing Capability for Significant Events","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-7.9","title":"Verify Boot Process","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-7"},{"control_id":"SI-8","title":"Spam Protection","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SI-8.1","title":"Central Management","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-8"},{"control_id":"SI-8.2","title":"Automatic Updates","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-8"},{"control_id":"SI-8.3","title":"Continuous Learning Capability","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SI-8"},{"control_id":"SI-9","title":"Information Input Restrictions","family":"SI","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-04","title":"Provenance","family":"SR","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":22,"detectable_count":13,"coverage_pct":59,"has_mapping":true,"is_enhancement":false},{"control_id":"SR-05","title":"Acquisition Strategies, Tools, and Methods","family":"SR","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"}],"technique_count":15,"detectable_count":9,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"SR-1","title":"Policy and Procedures","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-10","title":"Inspection of Systems or Components","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-11","title":"Component Authenticity","family":"SR","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1554","name":"Compromise Host Software Binary","detectable":true,"detections":"Sigma"}],"technique_count":15,"detectable_count":9,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"SR-11.1","title":"Anti-counterfeit Training","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-11"},{"control_id":"SR-11.2","title":"Configuration Control for Component Service and Repair","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-11"},{"control_id":"SR-11.3","title":"Anti-counterfeit Scanning","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-11"},{"control_id":"SR-12","title":"Component Disposal","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-2","title":"Supply Chain Risk Management Plan","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-2.1","title":"Establish SCRM Team","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-2"},{"control_id":"SR-3","title":"Supply Chain Controls and Processes","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-3.1","title":"Diverse Supply Base","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-3"},{"control_id":"SR-3.2","title":"Limitation of Harm","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-3"},{"control_id":"SR-3.3","title":"Sub-tier Flow Down","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-3"},{"control_id":"SR-4","title":"Provenance","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-4.1","title":"Identity","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-4"},{"control_id":"SR-4.2","title":"Track and Trace","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-4"},{"control_id":"SR-4.3","title":"Validate as Genuine and Not Altered","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-4"},{"control_id":"SR-4.4","title":"Supply Chain Integrity — Pedigree","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-4"},{"control_id":"SR-5","title":"Acquisition Strategies, Tools, and Methods","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-5.1","title":"Adequate Supply","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-5"},{"control_id":"SR-5.2","title":"Assessments Prior to Selection, Acceptance, Modification, or Update","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-5"},{"control_id":"SR-6","title":"Supplier Assessments and Reviews","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-6.1","title":"Testing and Analysis","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-6"},{"control_id":"SR-7","title":"Supply Chain Operations Security","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-8","title":"Notification Agreements","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-9","title":"Tamper Resistance and Detection","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":false},{"control_id":"SR-9.1","title":"Multiple Stages of System Development Life Cycle","family":"SR","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"SR-9"}],"families":[{"family":"AC","controls":154,"controls_with_mapping":18,"distinct_techniques":382,"detectable_techniques":252,"coverage_pct":65},{"family":"AT","controls":17,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"AU","controls":69,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"CA","controls":35,"controls_with_mapping":3,"distinct_techniques":211,"detectable_techniques":143,"coverage_pct":67},{"family":"CM","controls":72,"controls_with_mapping":9,"distinct_techniques":398,"detectable_techniques":277,"coverage_pct":69},{"family":"CP","controls":60,"controls_with_mapping":5,"distinct_techniques":22,"detectable_techniques":14,"coverage_pct":63},{"family":"IA","controls":82,"controls_with_mapping":11,"distinct_techniques":205,"detectable_techniques":144,"coverage_pct":70},{"family":"IR","controls":42,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"MA","controls":30,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"MP","controls":31,"controls_with_mapping":1,"distinct_techniques":6,"detectable_techniques":2,"coverage_pct":33},{"family":"PE","controls":59,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"PL","controls":17,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"PM","controls":37,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"PS","controls":18,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"PT","controls":21,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"RA","controls":28,"controls_with_mapping":3,"distinct_techniques":117,"detectable_techniques":84,"coverage_pct":71},{"family":"SA","controls":151,"controls_with_mapping":10,"distinct_techniques":52,"detectable_techniques":34,"coverage_pct":65},{"family":"SC","controls":169,"controls_with_mapping":34,"distinct_techniques":244,"detectable_techniques":160,"coverage_pct":65},{"family":"SI","controls":125,"controls_with_mapping":12,"distinct_techniques":416,"detectable_techniques":277,"coverage_pct":66},{"family":"SR","controls":29,"controls_with_mapping":3,"distinct_techniques":22,"detectable_techniques":13,"coverage_pct":59}],"total_controls":1246,"controls_with_mapping":109,"distinct_techniques":470,"detectable_techniques":307,"overall_coverage_pct":65,"unmapped_enhancements":872,"no_mappings_at_all":false}