{"framework":"soc2-tsc","framework_label":"SOC 2 TSC","controls":[{"control_id":"A1.1","title":"Maintains, monitors, and evaluates current processing capacity and use of system components","family":"Availability","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A1"},{"control_id":"A1.2","title":"Develops, documents, and maintains environmental protections, software, data backup processes","family":"Availability","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"A1"},{"control_id":"A1.3","title":"Recovers and restores the system after disruption to meet commitments","family":"Availability","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":8,"coverage_pct":66,"has_mapping":true,"is_enhancement":true,"base_control_id":"A1"},{"control_id":"CC1.1","title":"COSO Principle 1: Demonstrates commitment to integrity and ethical values","family":"CC1 · Control Environment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC1"},{"control_id":"CC1.2","title":"COSO Principle 2: Exercises oversight responsibility","family":"CC1 · Control Environment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC1"},{"control_id":"CC1.3","title":"COSO Principle 3: Establishes structure, authority, and responsibility","family":"CC1 · Control Environment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC1"},{"control_id":"CC1.4","title":"COSO Principle 4: Demonstrates commitment to competence","family":"CC1 · Control Environment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC1"},{"control_id":"CC1.5","title":"COSO Principle 5: Enforces accountability","family":"CC1 · Control Environment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC1"},{"control_id":"CC2.1","title":"COSO Principle 13: Uses relevant information","family":"CC2 · Communication \u0026 Information","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC2"},{"control_id":"CC2.2","title":"COSO Principle 14: Communicates internally","family":"CC2 · Communication \u0026 Information","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC2"},{"control_id":"CC2.3","title":"COSO Principle 15: Communicates externally","family":"CC2 · Communication \u0026 Information","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC2"},{"control_id":"CC3.1","title":"COSO Principle 6: Specifies suitable objectives","family":"CC3 · Risk Assessment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC3"},{"control_id":"CC3.2","title":"COSO Principle 7: Identifies and analyzes risk","family":"CC3 · Risk Assessment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC3"},{"control_id":"CC3.3","title":"COSO Principle 8: Assesses fraud risk","family":"CC3 · Risk Assessment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC3"},{"control_id":"CC3.4","title":"COSO Principle 9: Identifies and analyzes significant change","family":"CC3 · Risk Assessment","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC3"},{"control_id":"CC4.1","title":"COSO Principle 16: Conducts ongoing and/or separate evaluations","family":"CC4 · Monitoring","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC4"},{"control_id":"CC4.2","title":"COSO Principle 17: Evaluates and communicates deficiencies","family":"CC4 · Monitoring","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC4"},{"control_id":"CC5.1","title":"COSO Principle 10: Selects and develops control activities","family":"CC5 · Control Activities","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC5"},{"control_id":"CC5.2","title":"COSO Principle 11: Selects and develops general controls over technology","family":"CC5 · Control Activities","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC5"},{"control_id":"CC5.3","title":"COSO Principle 12: Deploys through policies and procedures","family":"CC5 · Control Activities","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC5"},{"control_id":"CC6.1","title":"Implements logical access security measures to authorized users","family":"CC6 · Logical \u0026 Physical Access","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":81,"detectable_count":55,"coverage_pct":67,"has_mapping":true,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.2","title":"Prior to issuing credentials and granting access, registers and authorizes new users","family":"CC6 · Logical \u0026 Physical Access","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":85,"detectable_count":59,"coverage_pct":69,"has_mapping":true,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.3","title":"Removes access to protected information when appropriate","family":"CC6 · Logical \u0026 Physical Access","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.4","title":"Restricts access to protected information using physical security controls","family":"CC6 · Logical \u0026 Physical Access","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1111","name":"Multi-Factor Authentication Interception","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1547.012","name":"Print Processors","detectable":false},{"id":"T1547.013","name":"XDG Autostart Entries","detectable":false},{"id":"T1556.001","name":"Domain Controller Authentication","detectable":false},{"id":"T1556.003","name":"Pluggable Authentication Modules","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1563","name":"Remote Service Session Hijacking","detectable":false},{"id":"T1563.001","name":"SSH Hijacking","detectable":false},{"id":"T1567.003","name":"Exfiltration to Text Storage Sites","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1612","name":"Build Image on Host","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.003","name":"Distributed Component Object Model","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1021.006","name":"Windows Remote Management","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1037","name":"Boot or Logon Initialization Scripts","detectable":true,"detections":"CAR, IDS"},{"id":"T1037.001","name":"Logon Script (Windows)","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1047","name":"Windows Management Instrumentation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1134.005","name":"SID-History Injection","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.001","name":"Local Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.002","name":"Domain Account","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1137","name":"Office Application Startup","detectable":true,"detections":"Sigma"},{"id":"T1137.002","name":"Office Test","detectable":true,"detections":"Sigma"},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1505.005","name":"Terminal Services DLL","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1547.003","name":"Time Providers","detectable":true,"detections":"Sigma"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.009","name":"Shortcut Modification","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.004","name":"Network Device Authentication","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1563.002","name":"RDP Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.001","name":"Exfiltration to Code Repository","detectable":true,"detections":"Sigma"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"},{"id":"T1613","name":"Container and Resource Discovery","detectable":true,"detections":"Sigma"},{"id":"T1619","name":"Cloud Storage Object Discovery","detectable":true,"detections":"Sigma"}],"technique_count":118,"detectable_count":82,"coverage_pct":69,"has_mapping":true,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.5","title":"Authenticates entities and authorizes their access to protected information assets","family":"CC6 · Logical \u0026 Physical Access","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.6","title":"Implements controls to prevent or detect and act upon introduction of unauthorized or malicious software","family":"CC6 · Logical \u0026 Physical Access","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.7","title":"Restricts the transmission, movement, and removal of information","family":"CC6 · Logical \u0026 Physical Access","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC6.8","title":"Implements controls to prevent or detect and act upon unauthorized physical access","family":"CC6 · Logical \u0026 Physical Access","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC6"},{"control_id":"CC7.1","title":"Detects and monitors for new vulnerabilities","family":"CC7 · System Operations","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC7"},{"control_id":"CC7.2","title":"Monitors system components for anomalous behavior","family":"CC7 · System Operations","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC7"},{"control_id":"CC7.3","title":"Evaluates security events to determine whether they could or have resulted in failure","family":"CC7 · System Operations","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC7"},{"control_id":"CC7.4","title":"Responds to identified security incidents per incident response program","family":"CC7 · System Operations","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC7"},{"control_id":"CC7.5","title":"Identifies, develops, and implements activities to recover from identified security incidents","family":"CC7 · System Operations","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":8,"coverage_pct":66,"has_mapping":true,"is_enhancement":true,"base_control_id":"CC7"},{"control_id":"CC8.1","title":"Authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes","family":"CC8 · Change Management","techniques":[{"id":"T1195.003","name":"Compromise Hardware Supply Chain","detectable":false},{"id":"T1542","name":"Pre-OS Boot","detectable":false},{"id":"T1542.004","name":"ROMMONkit","detectable":false},{"id":"T1542.005","name":"TFTP Boot","detectable":false},{"id":"T1553.006","name":"Code Signing Policy Modification","detectable":false},{"id":"T1559.003","name":"XPC Services","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.002","name":"DLL Side-Loading","detectable":false},{"id":"T1601","name":"Modify System Image","detectable":false},{"id":"T1601.001","name":"Patch System Image","detectable":false},{"id":"T1601.002","name":"Downgrade System Image","detectable":false},{"id":"T1647","name":"Plist File Modification","detectable":false},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1213.003","name":"Code Repositories","detectable":true,"detections":"Sigma"},{"id":"T1495","name":"Firmware Corruption","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1505.001","name":"SQL Stored Procedures","detectable":true,"detections":"Sigma"},{"id":"T1505.002","name":"Transport Agent","detectable":true,"detections":"Sigma"},{"id":"T1505.004","name":"IIS Components","detectable":true,"detections":"Sigma"},{"id":"T1542.001","name":"System Firmware","detectable":true,"detections":"Sigma"},{"id":"T1542.003","name":"Bootkit","detectable":true,"detections":"Sigma"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"}],"technique_count":27,"detectable_count":15,"coverage_pct":55,"has_mapping":true,"is_enhancement":true,"base_control_id":"CC8"},{"control_id":"CC9.1","title":"Identifies, selects, and develops risk mitigation activities","family":"CC9 · Risk Mitigation","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC9"},{"control_id":"CC9.2","title":"Assesses and manages risks associated with vendors and business partners","family":"CC9 · Risk Mitigation","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"CC9"},{"control_id":"C1.1","title":"Identifies and maintains confidential information to meet objectives related to confidentiality","family":"Confidentiality","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":42,"detectable_count":26,"coverage_pct":61,"has_mapping":true,"is_enhancement":true,"base_control_id":"C1"},{"control_id":"C1.2","title":"Disposes of confidential information to meet objectives related to confidentiality","family":"Confidentiality","techniques":[{"id":"T1003.007","name":"Proc Filesystem","detectable":false},{"id":"T1003.008","name":"/etc/passwd and /etc/shadow","detectable":false},{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1213.005","name":"Messaging Applications","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.001","name":"LSASS Memory","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.002","name":"Security Account Manager","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.004","name":"LSA Secrets","detectable":true,"detections":"Sigma"},{"id":"T1003.005","name":"Cached Domain Credentials","detectable":true,"detections":"Sigma"},{"id":"T1003.006","name":"DCSync","detectable":true,"detections":"Sigma"},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.001","name":"Default Accounts","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.002","name":"Credentials in Registry","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.003","name":"Shell History","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":64,"detectable_count":39,"coverage_pct":60,"has_mapping":true,"is_enhancement":true,"base_control_id":"C1"},{"control_id":"P1.1","title":"Provides notice to data subjects about its privacy practices","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P1"},{"control_id":"P2.1","title":"Communicates choices available to data subjects and obtains implicit or explicit consent","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P2"},{"control_id":"P3.1","title":"Collects personal information consistent with the entity's objectives","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P3"},{"control_id":"P3.2","title":"Collects personal information using methods consistent with commitments to data subjects","family":"Privacy","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"P3"},{"control_id":"P4.1","title":"Limits the use of personal information to the purposes identified in the notice","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P4"},{"control_id":"P4.2","title":"Retains personal information consistent with entity's privacy commitments","family":"Privacy","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"P4"},{"control_id":"P4.3","title":"Disposes of personal information consistent with entity's privacy commitments","family":"Privacy","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.004","name":"Elevated Execution with Prompt","detectable":false},{"id":"T1557.004","name":"Evil Twin","detectable":false},{"id":"T1558.002","name":"Silver Ticket","detectable":false},{"id":"T1558.004","name":"AS-REP Roasting","detectable":false},{"id":"T1558.005","name":"Ccache Files","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1003","name":"OS Credential Dumping","detectable":true,"detections":"Sigma, CAR"},{"id":"T1003.003","name":"NTDS","detectable":true,"detections":"Sigma, CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","detectable":true,"detections":"Sigma"},{"id":"T1558.003","name":"Kerberoasting","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":34,"detectable_count":20,"coverage_pct":58,"has_mapping":true,"is_enhancement":true,"base_control_id":"P4"},{"control_id":"P5.1","title":"Grants data subjects the ability to access their personal information","family":"Privacy","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"P5"},{"control_id":"P5.2","title":"Corrects or amends personal information upon request","family":"Privacy","techniques":[{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.009","name":"AppCert DLLs","detectable":true,"detections":"Sigma"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1564.003","name":"Hidden Window","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":101,"detectable_count":78,"coverage_pct":77,"has_mapping":true,"is_enhancement":true,"base_control_id":"P5"},{"control_id":"P6.1","title":"Discloses personal information to third parties with the implicit or explicit consent of data subjects","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P6"},{"control_id":"P6.2","title":"Creates and retains a complete, accurate, and timely record of authorized disclosures","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P6"},{"control_id":"P6.3","title":"Creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures","family":"Privacy","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"P6"},{"control_id":"P7.1","title":"Collects and maintains accurate, up-to-date, complete, and relevant personal information","family":"Privacy","techniques":[{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.009","name":"AppCert DLLs","detectable":true,"detections":"Sigma"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1564.003","name":"Hidden Window","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":101,"detectable_count":78,"coverage_pct":77,"has_mapping":true,"is_enhancement":true,"base_control_id":"P7"},{"control_id":"P8.1","title":"Provides data subjects with an accounting of personal information held and corrects errors","family":"Privacy","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":true,"base_control_id":"P8"},{"control_id":"PI1.1","title":"Obtains or generates, uses, and communicates relevant, quality information","family":"Processing Integrity","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PI1"},{"control_id":"PI1.2","title":"Implements policies and procedures over system inputs, including controls over completeness and accuracy","family":"Processing Integrity","techniques":[{"id":"T1036.008","name":"Masquerade File Type","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1059.008","name":"Network Device CLI","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1127.002","name":"ClickOnce","detectable":false},{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1218.004","name":"InstallUtil","detectable":false},{"id":"T1218.012","name":"Verclsid","detectable":false},{"id":"T1218.015","name":"Electron Applications","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1546.006","name":"LC_LOAD_DYLIB Addition","detectable":false},{"id":"T1548.006","name":"TCC Manipulation","detectable":false},{"id":"T1564.009","name":"Resource Forking","detectable":false},{"id":"T1574.013","name":"KernelCallbackTable","detectable":false},{"id":"T1574.014","name":"AppDomainManager","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1021.002","name":"SMB/Windows Admin Shares","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.005","name":"VNC","detectable":true,"detections":"Sigma"},{"id":"T1027.010","name":"Command Obfuscation","detectable":true,"detections":"Sigma"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1036.005","name":"Match Legitimate Resource Name or Location","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.002","name":"AppleScript","detectable":true,"detections":"Sigma"},{"id":"T1059.003","name":"Windows Command Shell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.004","name":"Unix Shell","detectable":true,"detections":"Sigma, Falco"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1059.007","name":"JavaScript","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1127","name":"Trusted Developer Utilities Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1129","name":"Shared Modules","detectable":true,"detections":"Sigma"},{"id":"T1187","name":"Forced Authentication","detectable":true,"detections":"Sigma, CAR"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1197","name":"BITS Jobs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1204.002","name":"Malicious File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1216","name":"System Script Proxy Execution","detectable":true,"detections":"Sigma"},{"id":"T1216.001","name":"PubPrn","detectable":true,"detections":"Sigma"},{"id":"T1218","name":"System Binary Proxy Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.001","name":"Compiled HTML File","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.002","name":"Control Panel","detectable":true,"detections":"Sigma"},{"id":"T1218.003","name":"CMSTP","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.005","name":"Mshta","detectable":true,"detections":"Sigma"},{"id":"T1218.008","name":"Odbcconf","detectable":true,"detections":"Sigma"},{"id":"T1218.009","name":"Regsvcs/Regasm","detectable":true,"detections":"Sigma"},{"id":"T1218.010","name":"Regsvr32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.011","name":"Rundll32","detectable":true,"detections":"Sigma, CAR"},{"id":"T1218.013","name":"Mavinject","detectable":true,"detections":"Sigma"},{"id":"T1218.014","name":"MMC","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1220","name":"XSL Script Processing","detectable":true,"detections":"Sigma"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1499.001","name":"OS Exhaustion Flood","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546.002","name":"Screensaver","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.008","name":"Accessibility Features","detectable":true,"detections":"Sigma, CAR"},{"id":"T1546.009","name":"AppCert DLLs","detectable":true,"detections":"Sigma"},{"id":"T1546.010","name":"AppInit DLLs","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.004","name":"Winlogon Helper DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1547.006","name":"Kernel Modules and Extensions","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1553","name":"Subvert Trust Controls","detectable":true,"detections":"Sigma, CAR"},{"id":"T1553.001","name":"Gatekeeper Bypass","detectable":true,"detections":"Sigma"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1553.005","name":"Mark-of-the-Web Bypass","detectable":true,"detections":"Sigma"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.001","name":"Name Resolution Poisoning and SMB Relay","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1557.003","name":"DHCP Spoofing","detectable":true,"detections":"Sigma"},{"id":"T1564.003","name":"Hidden Window","detectable":true,"detections":"Sigma"},{"id":"T1564.006","name":"Run Virtual Instance","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","detectable":true,"detections":"Sigma"},{"id":"T1574.007","name":"Path Interception by PATH Environment Variable","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.008","name":"Path Interception by Search Order Hijacking","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.009","name":"Path Interception by Unquoted Path","detectable":true,"detections":"CAR"},{"id":"T1574.012","name":"COR_PROFILER","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"},{"id":"T1622","name":"Debugger Evasion","detectable":true,"detections":"Sigma, Falco"}],"technique_count":101,"detectable_count":78,"coverage_pct":77,"has_mapping":true,"is_enhancement":true,"base_control_id":"PI1"},{"control_id":"PI1.3","title":"Implements policies and procedures over system processing","family":"Processing Integrity","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PI1"},{"control_id":"PI1.4","title":"Implements policies and procedures to make available or deliver output completely, accurately, and timely","family":"Processing Integrity","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PI1"},{"control_id":"PI1.5","title":"Implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely","family":"Processing Integrity","techniques":null,"technique_count":0,"detectable_count":0,"coverage_pct":0,"has_mapping":false,"is_enhancement":true,"base_control_id":"PI1"}],"families":[{"family":"Availability","controls":3,"controls_with_mapping":1,"distinct_techniques":12,"detectable_techniques":8,"coverage_pct":66},{"family":"CC1 · Control Environment","controls":5,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"CC2 · Communication \u0026 Information","controls":3,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"CC3 · Risk Assessment","controls":4,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"CC4 · Monitoring","controls":2,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"CC5 · Control Activities","controls":3,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"CC6 · Logical \u0026 Physical Access","controls":8,"controls_with_mapping":4,"distinct_techniques":120,"detectable_techniques":84,"coverage_pct":70},{"family":"CC7 · System Operations","controls":5,"controls_with_mapping":1,"distinct_techniques":12,"detectable_techniques":8,"coverage_pct":66},{"family":"CC8 · Change Management","controls":1,"controls_with_mapping":1,"distinct_techniques":27,"detectable_techniques":15,"coverage_pct":55},{"family":"CC9 · Risk Mitigation","controls":2,"controls_with_mapping":0,"distinct_techniques":0,"detectable_techniques":0,"coverage_pct":0},{"family":"Confidentiality","controls":2,"controls_with_mapping":2,"distinct_techniques":64,"detectable_techniques":39,"coverage_pct":60},{"family":"Privacy","controls":14,"controls_with_mapping":7,"distinct_techniques":132,"detectable_techniques":99,"coverage_pct":75},{"family":"Processing Integrity","controls":5,"controls_with_mapping":1,"distinct_techniques":101,"detectable_techniques":78,"coverage_pct":77}],"total_controls":57,"controls_with_mapping":17,"distinct_techniques":242,"detectable_techniques":168,"overall_coverage_pct":69,"unmapped_enhancements":40,"no_mappings_at_all":false}