Detection coverage · threatengine.sh

Home/Detection coverage

ATT&CK

Detection coverage heatmap

407 of 697 techniques have detection coverage · 58%

Where can you actually see attacks happen, and where are you blind? Every enterprise ATT&CK technique is grouped by tactic and marked green when we hold detection content (Sigma / CAR / network-IDS / YARA / Falco) mapped to it, and red when there is no coverage - the gaps to close. Counts are honest: a technique is covered only when a real rule maps to it.

covered no coverage (gap) Sigma 3,765 · IDS 25,341 · CAR 278 · YARA 5 · Falco 80 rule-to-technique links

58% overall coverage - 407/697 techniques

▤

Reconnaissance

11/46 covered · 23%

T1589.001 · Credentials T1589.003 · Employee Names T1590.003 · Network Trust Dependencies T1590.004 · Network Topology T1590.005 · IP Addresses T1590.006 · Network Security Appliances T1591 · Gather Victim Org Information T1591.001 · Determine Physical Locations T1591.002 · Business Relationships T1591.003 · Identify Business Tempo T1592 · Gather Victim Host Information T1592.001 · Hardware T1592.002 · Software T1592.003 · Firmware T1593.001 · Social Media T1593.002 · Search Engines T1594 · Search Victim-Owned Websites T1595.001 · Scanning IP Blocks T1595.003 · Wordlist Scanning T1596 · Search Open Technical Databases T1596.001 · DNS/Passive DNS T1596.002 · WHOIS T1596.003 · Digital Certificates T1596.004 · CDNs T1596.005 · Scan Databases T1597 · Search Closed Sources T1597.001 · Threat Intel Vendors T1597.002 · Purchase Technical Data T1598 · Phishing for Information T1598.001 · Spearphishing Service T1598.002 · Spearphishing Attachment T1598.003 · Spearphishing Link T1598.004 · Spearphishing Voice T1681 · Search Threat Vendor Data T1682 · Query Public AI Services T1589 · Gather Victim Identity Information ✓T1589.002 · Email Addresses ✓T1590 · Gather Victim Network Information ✓T1590.001 · Domain Properties ✓T1590.002 · DNS ✓T1591.004 · Identify Roles ✓T1592.004 · Client Configurations ✓T1593 · Search Open Websites/Domains ✓T1593.003 · Code Repositories ✓T1595 · Active Scanning ✓T1595.002 · Vulnerability Scanning ✓

▤

Resource Development

11/50 covered · 22%

T1583.001 · Domains T1583.002 · DNS Server T1583.003 · Virtual Private Server T1583.004 · Server T1583.005 · Botnet T1583.006 · Web Services T1583.007 · Serverless T1583.008 · Malvertising T1584.001 · Domains T1584.002 · DNS Server T1584.003 · Virtual Private Server T1584.004 · Server T1584.005 · Botnet T1584.006 · Web Services T1584.007 · Serverless T1584.008 · Network Devices T1585 · Establish Accounts T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1585.003 · Cloud Accounts T1586.001 · Social Media Accounts T1586.002 · Email Accounts T1587.002 · Code Signing Certificates T1587.003 · Digital Certificates T1587.004 · Exploits T1588.003 · Code Signing Certificates T1588.004 · Digital Certificates T1588.005 · Exploits T1588.006 · Vulnerabilities T1588.007 · Artificial Intelligence T1608.001 · Upload Malware T1608.002 · Upload Tool T1608.004 · Drive-by Target T1608.005 · Link Target T1608.006 · SEO Poisoning T1650 · Acquire Access T1683 · Generate Content T1683.001 · Written Content T1683.002 · Audio-Visual Content T1583 · Acquire Infrastructure ✓T1584 · Compromise Infrastructure ✓T1586 · Compromise Accounts ✓T1586.003 · Cloud Accounts ✓T1587 · Develop Capabilities ✓T1587.001 · Malware ✓T1588 · Obtain Capabilities ✓T1588.001 · Malware ✓T1588.002 · Tool ✓T1608 · Stage Capabilities ✓T1608.003 · Install Digital Certificate ✓

▤

Initial Access

17/22 covered · 77%

▤

Execution

44/64 covered · 68%

T1053.006 · Systemd Timers T1053.007 · Container Orchestration Job T1059.008 · Network Device CLI T1059.010 · AutoHotKey & AutoIT T1059.011 · Lua T1059.013 · Container CLI/API T1127.002 · ClickOnce T1127.003 · JamPlus T1204.003 · Malicious Image T1204.005 · Malicious Library T1559.003 · XPC Services T1569.003 · Systemctl T1574.004 · Dylib Hijacking T1574.013 · KernelCallbackTable T1574.014 · AppDomainManager T1648 · Serverless Execution T1651 · Cloud Administration Command T1674 · Input Injection T1675 · ESXi Administration Command T1677 · Poisoned Pipeline Execution T1047 · Windows Management Instrumentation ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.002 · AppleScript ✓T1059.003 · Windows Command Shell ✓T1059.004 · Unix Shell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1059.007 · JavaScript ✓T1059.009 · Cloud API ✓T1059.012 · Hypervisor CLI ✓T1072 · Software Deployment Tools ✓T1106 · Native API ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1129 · Shared Modules ✓T1197 · BITS Jobs ✓T1203 · Exploitation for Client Execution ✓T1204 · User Execution ✓T1204.001 · Malicious Link ✓T1204.002 · Malicious File ✓T1204.004 · Malicious Copy and Paste ✓T1559 · Inter-Process Communication ✓T1559.001 · Component Object Model ✓T1559.002 · Dynamic Data Exchange ✓T1569 · System Services ✓T1569.001 · Launchctl ✓T1569.002 · Service Execution ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.005 · Executable Installer File Permissions Weakness ✓T1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.011 · Services Registry Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1609 · Container Administration Command ✓T1610 · Deploy Container ✓

▤

Persistence

77/113 covered · 68%

T1037.002 · Login Hook T1037.003 · Network Logon Script T1037.004 · RC Scripts T1053.006 · Systemd Timers T1053.007 · Container Orchestration Job T1098.002 · Additional Email Delegate Permissions T1098.006 · Additional Container Cluster Roles T1098.007 · Additional Local or Domain Groups T1137.001 · Office Template Macros T1137.004 · Outlook Home Page T1137.005 · Outlook Rules T1176 · Software Extensions T1176.002 · IDE Extensions T1205.002 · Socket Filters T1505.006 · vSphere Installation Bundles T1542 · Pre-OS Boot T1542.002 · Component Firmware T1542.004 · ROMMONkit T1542.005 · TFTP Boot T1543.005 · Container Service T1546.005 · Trap T1546.006 · LC_LOAD_DYLIB Addition T1546.016 · Installer Packages T1546.017 · Udev Rules T1546.018 · Python Startup Hooks T1547.007 · Re-opened Applications T1547.012 · Print Processors T1547.013 · XDG Autostart Entries T1556.001 · Domain Controller Authentication T1556.003 · Pluggable Authentication Modules T1556.005 · Reversible Encryption T1556.007 · Hybrid Identity T1556.008 · Network Provider DLL T1556.009 · Conditional Access Policies T1668 · Exclusive Control T1671 · Cloud Application Integration T1037 · Boot or Logon Initialization Scripts ✓T1037.001 · Logon Script (Windows) ✓T1037.005 · Startup Items ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1112 · Modify Registry ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.001 · Local Account ✓T1136.002 · Domain Account ✓T1136.003 · Cloud Account ✓T1137 · Office Application Startup ✓T1137.002 · Office Test ✓T1137.003 · Outlook Forms ✓T1137.006 · Add-ins ✓T1176.001 · Browser Extensions ✓T1197 · BITS Jobs ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1505 · Server Software Component ✓T1505.001 · SQL Stored Procedures ✓T1505.002 · Transport Agent ✓T1505.003 · Web Shell ✓T1505.004 · IIS Components ✓T1505.005 · Terminal Services DLL ✓T1525 · Implant Internal Image ✓T1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1546 · Event Triggered Execution ✓T1546.001 · Change Default File Association ✓T1546.002 · Screensaver ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.007 · Netsh Helper DLL ✓T1546.008 · Accessibility Features ✓T1546.009 · AppCert DLLs ✓T1546.010 · AppInit DLLs ✓T1546.011 · Application Shimming ✓T1546.012 · Image File Execution Options Injection ✓T1546.013 · PowerShell Profile ✓T1546.014 · Emond ✓T1546.015 · Component Object Model Hijacking ✓T1547 · Boot or Logon Autostart Execution ✓T1547.001 · Registry Run Keys / Startup Folder ✓T1547.002 · Authentication Package ✓T1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.005 · Security Support Provider ✓T1547.006 · Kernel Modules and Extensions ✓T1547.008 · LSASS Driver ✓T1547.009 · Shortcut Modification ✓T1547.010 · Port Monitors ✓T1547.014 · Active Setup ✓T1547.015 · Login Items ✓T1554 · Compromise Host Software Binary ✓T1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1653 · Power Settings ✓

▤

Privilege Escalation

70/96 covered · 72%

T1037.002 · Login Hook T1037.003 · Network Logon Script T1037.004 · RC Scripts T1053.006 · Systemd Timers T1053.007 · Container Orchestration Job T1055.002 · Portable Executable Injection T1055.004 · Asynchronous Procedure Call T1055.005 · Thread Local Storage T1055.013 · Process Doppelgänging T1055.014 · VDSO Hijacking T1055.015 · ListPlanting T1098.002 · Additional Email Delegate Permissions T1098.006 · Additional Container Cluster Roles T1098.007 · Additional Local or Domain Groups T1543.005 · Container Service T1546.005 · Trap T1546.006 · LC_LOAD_DYLIB Addition T1546.016 · Installer Packages T1546.017 · Udev Rules T1546.018 · Python Startup Hooks T1547.007 · Re-opened Applications T1547.012 · Print Processors T1547.013 · XDG Autostart Entries T1548.004 · Elevated Execution with Prompt T1548.005 · Temporary Elevated Cloud Access T1548.006 · TCC Manipulation T1037 · Boot or Logon Initialization Scripts ✓T1037.001 · Logon Script (Windows) ✓T1037.005 · Startup Items ✓T1053 · Scheduled Task/Job ✓T1053.002 · At ✓T1053.003 · Cron ✓T1053.005 · Scheduled Task ✓T1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.003 · Thread Execution Hijacking ✓T1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1068 · Exploitation for Privilege Escalation ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.004 · Parent PID Spoofing ✓T1134.005 · SID-History Injection ✓T1484 · Domain or Tenant Policy Modification ✓T1484.001 · Group Policy Modification ✓T1484.002 · Trust Modification ✓T1543 · Create or Modify System Process ✓T1543.001 · Launch Agent ✓T1543.002 · Systemd Service ✓T1543.003 · Windows Service ✓T1543.004 · Launch Daemon ✓T1546 · Event Triggered Execution ✓T1546.001 · Change Default File Association ✓T1546.002 · Screensaver ✓T1546.003 · Windows Management Instrumentation Event Subscription ✓T1546.004 · Unix Shell Configuration Modification ✓T1546.007 · Netsh Helper DLL ✓T1546.008 · Accessibility Features ✓T1546.009 · AppCert DLLs ✓T1546.010 · AppInit DLLs ✓T1546.011 · Application Shimming ✓T1546.012 · Image File Execution Options Injection ✓T1546.013 · PowerShell Profile ✓T1546.014 · Emond ✓T1546.015 · Component Object Model Hijacking ✓T1547 · Boot or Logon Autostart Execution ✓T1547.001 · Registry Run Keys / Startup Folder ✓T1547.002 · Authentication Package ✓T1547.003 · Time Providers ✓T1547.004 · Winlogon Helper DLL ✓T1547.005 · Security Support Provider ✓T1547.006 · Kernel Modules and Extensions ✓T1547.008 · LSASS Driver ✓T1547.009 · Shortcut Modification ✓T1547.010 · Port Monitors ✓T1547.014 · Active Setup ✓T1547.015 · Login Items ✓T1548 · Abuse Elevation Control Mechanism ✓T1548.001 · Setuid and Setgid ✓T1548.002 · Bypass User Account Control ✓T1548.003 · Sudo and Sudo Caching ✓T1611 · Escape to Host ✓

▤

Credential Access

45/67 covered · 67%

T1003.007 · Proc Filesystem T1003.008 · /etc/passwd and /etc/shadow T1056.003 · Web Portal Capture T1056.004 · Credential API Hooking T1110.003 · Password Spraying T1110.004 · Credential Stuffing T1111 · Multi-Factor Authentication Interception T1552.008 · Chat Messages T1555.002 · Securityd Memory T1555.006 · Cloud Secrets Management Stores T1556.001 · Domain Controller Authentication T1556.003 · Pluggable Authentication Modules T1556.005 · Reversible Encryption T1556.007 · Hybrid Identity T1556.008 · Network Provider DLL T1556.009 · Conditional Access Policies T1557.004 · Evil Twin T1558.001 · Golden Ticket T1558.002 · Silver Ticket T1558.004 · AS-REP Roasting T1558.005 · Ccache Files T1606.001 · Web Cookies T1003 · OS Credential Dumping ✓T1003.001 · LSASS Memory ✓T1003.002 · Security Account Manager ✓T1003.003 · NTDS ✓T1003.004 · LSA Secrets ✓T1003.005 · Cached Domain Credentials ✓T1003.006 · DCSync ✓T1040 · Network Sniffing ✓T1056 · Input Capture ✓T1056.001 · Keylogging ✓T1056.002 · GUI Input Capture ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1187 · Forced Authentication ✓T1212 · Exploitation for Credential Access ✓T1528 · Steal Application Access Token ✓T1539 · Steal Web Session Cookie ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.002 · Credentials in Registry ✓T1552.003 · Shell History ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1552.006 · Group Policy Preferences ✓T1552.007 · Container API ✓T1555 · Credentials from Password Stores ✓T1555.001 · Keychain ✓T1555.003 · Credentials from Web Browsers ✓T1555.004 · Windows Credential Manager ✓T1555.005 · Password Managers ✓T1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1558 · Steal or Forge Kerberos Tickets ✓T1558.003 · Kerberoasting ✓T1606 · Forge Web Credentials ✓T1606.002 · SAML Tokens ✓T1621 · Multi-Factor Authentication Request Generation ✓T1649 · Steal or Forge Authentication Certificates ✓

▤

Discovery

37/49 covered · 75%

T1016.001 · Internet Connection Discovery T1016.002 · Wi-Fi Discovery T1087.003 · Email Account T1497 · Virtualization/Sandbox Evasion T1497.002 · User Activity Based Checks T1497.003 · Time Based Checks T1518.002 · Backup Software Discovery T1538 · Cloud Service Dashboard T1652 · Device Driver Discovery T1654 · Log Enumeration T1673 · Virtual Machine Discovery T1680 · Local Storage Discovery T1007 · System Service Discovery ✓T1010 · Application Window Discovery ✓T1012 · Query Registry ✓T1016 · System Network Configuration Discovery ✓T1018 · Remote System Discovery ✓T1033 · System Owner/User Discovery ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1049 · System Network Connections Discovery ✓T1057 · Process Discovery ✓T1069 · Permission Groups Discovery ✓T1069.001 · Local Groups ✓T1069.002 · Domain Groups ✓T1069.003 · Cloud Groups ✓T1082 · System Information Discovery ✓T1083 · File and Directory Discovery ✓T1087 · Account Discovery ✓T1087.001 · Local Account ✓T1087.002 · Domain Account ✓T1087.004 · Cloud Account ✓T1120 · Peripheral Device Discovery ✓T1124 · System Time Discovery ✓T1135 · Network Share Discovery ✓T1201 · Password Policy Discovery ✓T1217 · Browser Information Discovery ✓T1482 · Domain Trust Discovery ✓T1497.001 · System Checks ✓T1518 · Software Discovery ✓T1518.001 · Security Software Discovery ✓T1526 · Cloud Service Discovery ✓T1580 · Cloud Infrastructure Discovery ✓T1613 · Container and Resource Discovery ✓T1614 · System Location Discovery ✓T1614.001 · System Language Discovery ✓T1615 · Group Policy Discovery ✓T1619 · Cloud Storage Object Discovery ✓T1622 · Debugger Evasion ✓

▤

Lateral Movement

17/23 covered · 73%

▤

Collection

24/41 covered · 58%

T1025 · Data from Removable Media T1056.003 · Web Portal Capture T1056.004 · Credential API Hooking T1074.002 · Remote Data Staging T1114.002 · Remote Email Collection T1213.001 · Confluence T1213.002 · Sharepoint T1213.004 · Customer Relationship Management Software T1213.005 · Messaging Applications T1213.006 · Databases T1530 · Data from Cloud Storage T1557.004 · Evil Twin T1560.002 · Archive via Library T1560.003 · Archive via Custom Method T1602 · Data from Configuration Repository T1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump T1005 · Data from Local System ✓T1039 · Data from Network Shared Drive ✓T1056 · Input Capture ✓T1056.001 · Keylogging ✓T1056.002 · GUI Input Capture ✓T1074 · Data Staged ✓T1074.001 · Local Data Staging ✓T1113 · Screen Capture ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.003 · Email Forwarding Rule ✓T1115 · Clipboard Data ✓T1119 · Automated Collection ✓T1123 · Audio Capture ✓T1125 · Video Capture ✓T1185 · Browser Session Hijacking ✓T1213 · Data from Information Repositories ✓T1213.003 · Code Repositories ✓T1557 · Adversary-in-the-Middle ✓T1557.001 · Name Resolution Poisoning and SMB Relay ✓T1557.002 · ARP Cache Poisoning ✓T1557.003 · DHCP Spoofing ✓T1560 · Archive Collected Data ✓T1560.001 · Archive via Utility ✓

▤

Command And Control

28/45 covered · 62%

T1001.001 · Junk Data T1001.002 · Steganography T1071.002 · File Transfer Protocols T1071.003 · Mail Protocols T1071.005 · Publish/Subscribe Protocols T1090.004 · Domain Fronting T1092 · Communication Through Removable Media T1104 · Multi-Stage Channels T1132.002 · Non-Standard Encoding T1205.002 · Socket Filters T1219.001 · IDE Tunneling T1219.003 · Remote Access Hardware T1568.001 · Fast Flux DNS T1568.003 · DNS Calculation T1573.001 · Symmetric Cryptography T1573.002 · Asymmetric Cryptography T1659 · Content Injection T1001 · Data Obfuscation ✓T1001.003 · Protocol or Service Impersonation ✓T1008 · Fallback Channels ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.004 · DNS ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1102 · Web Service ✓T1102.001 · Dead Drop Resolver ✓T1102.002 · Bidirectional Communication ✓T1102.003 · One-Way Communication ✓T1105 · Ingress Tool Transfer ✓T1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1219 · Remote Access Tools ✓T1219.002 · Remote Desktop Software ✓T1568 · Dynamic Resolution ✓T1568.002 · Domain Generation Algorithms ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1573 · Encrypted Channel ✓T1665 · Hide Infrastructure ✓

▤

Exfiltration

11/19 covered · 57%

T1011 · Exfiltration Over Other Network Medium T1011.001 · Exfiltration Over Bluetooth T1020.001 · Traffic Duplication T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1052 · Exfiltration Over Physical Medium T1052.001 · Exfiltration over USB T1567.003 · Exfiltration to Text Storage Sites T1567.004 · Exfiltration Over Webhook T1020 · Automated Exfiltration ✓T1029 · Scheduled Transfer ✓T1030 · Data Transfer Size Limits ✓T1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1537 · Transfer Data to Cloud Account ✓T1567 · Exfiltration Over Web Service ✓T1567.001 · Exfiltration to Code Repository ✓T1567.002 · Exfiltration to Cloud Storage ✓

▤

Impact

18/33 covered · 54%

T1485.001 · Lifecycle-Triggered Deletion T1491 · Defacement T1491.002 · External Defacement T1496.001 · Compute Hijacking T1496.002 · Bandwidth Hijacking T1496.003 · SMS Pumping T1496.004 · Cloud Service Hijacking T1498.001 · Direct Network Flood T1498.002 · Reflection Amplification T1499.002 · Service Exhaustion Flood T1499.003 · Application Exhaustion Flood T1561 · Disk Wipe T1565.003 · Runtime Data Manipulation T1657 · Financial Theft T1667 · Email Bombing T1485 · Data Destruction ✓T1486 · Data Encrypted for Impact ✓T1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1491.001 · Internal Defacement ✓T1495 · Firmware Corruption ✓T1496 · Resource Hijacking ✓T1498 · Network Denial of Service ✓T1499 · Endpoint Denial of Service ✓T1499.001 · OS Exhaustion Flood ✓T1499.004 · Application or System Exploitation ✓T1529 · System Shutdown/Reboot ✓T1531 · Account Access Removal ✓T1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓

▤

Defense Impairment

32/56 covered · 57%

T1553.006 · Code Signing Policy Modification T1556.001 · Domain Controller Authentication T1556.003 · Pluggable Authentication Modules T1556.005 · Reversible Encryption T1556.007 · Hybrid Identity T1556.008 · Network Provider DLL T1556.009 · Conditional Access Policies T1578.001 · Create Snapshot T1578.002 · Create Cloud Instance T1578.004 · Revert Cloud Instance T1578.005 · Modify Cloud Compute Configurations T1599 · Network Boundary Bridging T1600 · Weaken Encryption T1600.001 · Reduce Key Space T1600.002 · Disable Crypto Hardware T1601 · Modify System Image T1601.001 · Patch System Image T1601.002 · Downgrade System Image T1647 · Plist File Modification T1666 · Modify Cloud Resource Hierarchy T1685.003 · Modify or Spoof Tool UI T1686.002 · Network Device Firewall T1687 · Exploitation for Defense Impairment T1688 · Safe Mode Boot T1112 · Modify Registry ✓T1207 · Rogue Domain Controller ✓T1222 · File and Directory Permissions Modification ✓T1222.001 · Windows Permissions ✓T1222.002 · Linux and Mac Permissions ✓T1484 · Domain or Tenant Policy Modification ✓T1484.001 · Group Policy Modification ✓T1484.002 · Trust Modification ✓T1553 · Subvert Trust Controls ✓T1553.001 · Gatekeeper Bypass ✓T1553.002 · Code Signing ✓T1553.003 · SIP and Trust Provider Hijacking ✓T1553.004 · Install Root Certificate ✓T1553.005 · Mark-of-the-Web Bypass ✓T1556 · Modify Authentication Process ✓T1556.002 · Password Filter DLL ✓T1556.004 · Network Device Authentication ✓T1556.006 · Multi-Factor Authentication ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.003 · Delete Cloud Instance ✓T1599.001 · Network Address Translation Traversal ✓T1685 · Disable or Modify Tools ✓T1685.001 · Disable or Modify Windows Event Log ✓T1685.002 · Disable or Modify Cloud Log ✓T1685.004 · Disable or Modify Linux Audit System Log ✓T1685.005 · Clear Windows Event Logs ✓T1685.006 · Clear Linux or Mac System Logs ✓T1686 · Disable or Modify System Firewall ✓T1686.001 · Cloud Firewall ✓T1686.003 · Windows Host Firewall ✓T1689 · Downgrade Attack ✓T1690 · Prevent Command History Logging ✓

▤

Stealth

85/148 covered · 57%

T1027.006 · HTML Smuggling T1027.007 · Dynamic API Resolution T1027.008 · Stripped Payloads T1027.011 · Fileless Storage T1027.012 · LNK Icon Smuggling T1027.013 · Encrypted/Encoded File T1027.014 · Polymorphic Code T1027.015 · Compression T1027.016 · Junk Code Insertion T1027.017 · SVG Smuggling T1027.018 · Invisible Unicode T1036.001 · Invalid Code Signature T1036.008 · Masquerade File Type T1036.009 · Break Process Trees T1036.010 · Masquerade Account Name T1036.011 · Overwrite Process Arguments T1036.012 · Browser Fingerprint T1055.002 · Portable Executable Injection T1055.004 · Asynchronous Procedure Call T1055.005 · Thread Local Storage T1055.013 · Process Doppelgänging T1055.014 · VDSO Hijacking T1055.015 · ListPlanting T1070.007 · Clear Network Connection History and Configurations T1070.008 · Clear Mailbox Data T1070.009 · Clear Persistence T1070.010 · Relocate Malware T1127.002 · ClickOnce T1127.003 · JamPlus T1205.002 · Socket Filters T1216.002 · SyncAppvPublishingServer T1218.004 · InstallUtil T1218.012 · Verclsid T1218.015 · Electron Applications T1480 · Execution Guardrails T1480.001 · Environmental Keying T1480.002 · Mutual Exclusion T1497 · Virtualization/Sandbox Evasion T1497.002 · User Activity Based Checks T1497.003 · Time Based Checks T1535 · Unused/Unsupported Cloud Regions T1542 · Pre-OS Boot T1542.002 · Component Firmware T1542.004 · ROMMONkit T1542.005 · TFTP Boot T1564.005 · Hidden File System T1564.007 · VBA Stomping T1564.008 · Email Hiding Rules T1564.009 · Resource Forking T1564.010 · Process Argument Spoofing T1564.011 · Ignore Process Interrupts T1564.012 · File/Path Exclusions T1564.013 · Bind Mounts T1564.014 · Extended Attributes T1574.004 · Dylib Hijacking T1574.013 · KernelCallbackTable T1574.014 · AppDomainManager T1612 · Build Image on Host T1678 · Delay Execution T1679 · Selective Exclusion T1684 · Social Engineering T1684.001 · Impersonation T1684.002 · Email Spoofing T1006 · Direct Volume Access ✓T1014 · Rootkit ✓T1027 · Obfuscated Files or Information ✓T1027.001 · Binary Padding ✓T1027.002 · Software Packing ✓T1027.003 · Steganography ✓T1027.004 · Compile After Delivery ✓T1027.005 · Indicator Removal from Tools ✓T1027.009 · Embedded Payloads ✓T1027.010 · Command Obfuscation ✓T1036 · Masquerading ✓T1036.002 · Right-to-Left Override ✓T1036.003 · Rename Legitimate Utilities ✓T1036.004 · Masquerade Task or Service ✓T1036.005 · Match Legitimate Resource Name or Location ✓T1036.006 · Space after Filename ✓T1036.007 · Double File Extension ✓T1055 · Process Injection ✓T1055.001 · Dynamic-link Library Injection ✓T1055.003 · Thread Execution Hijacking ✓T1055.008 · Ptrace System Calls ✓T1055.009 · Proc Memory ✓T1055.011 · Extra Window Memory Injection ✓T1055.012 · Process Hollowing ✓T1070 · Indicator Removal ✓T1070.003 · Clear Command History ✓T1070.004 · File Deletion ✓T1070.005 · Network Share Connection Removal ✓T1070.006 · Timestomp ✓T1078 · Valid Accounts ✓T1078.001 · Default Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1127 · Trusted Developer Utilities Proxy Execution ✓T1127.001 · MSBuild ✓T1134 · Access Token Manipulation ✓T1134.001 · Token Impersonation/Theft ✓T1134.002 · Create Process with Token ✓T1134.003 · Make and Impersonate Token ✓T1134.004 · Parent PID Spoofing ✓T1134.005 · SID-History Injection ✓T1140 · Deobfuscate/Decode Files or Information ✓T1197 · BITS Jobs ✓T1202 · Indirect Command Execution ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1211 · Exploitation for Stealth ✓T1216 · System Script Proxy Execution ✓T1216.001 · PubPrn ✓T1218 · System Binary Proxy Execution ✓T1218.001 · Compiled HTML File ✓T1218.002 · Control Panel ✓T1218.003 · CMSTP ✓T1218.005 · Mshta ✓T1218.007 · Msiexec ✓T1218.008 · Odbcconf ✓T1218.009 · Regsvcs/Regasm ✓T1218.010 · Regsvr32 ✓T1218.011 · Rundll32 ✓T1218.013 · Mavinject ✓T1218.014 · MMC ✓T1220 · XSL Script Processing ✓T1221 · Template Injection ✓T1497.001 · System Checks ✓T1542.001 · System Firmware ✓T1542.003 · Bootkit ✓T1564 · Hide Artifacts ✓T1564.001 · Hidden Files and Directories ✓T1564.002 · Hidden Users ✓T1564.003 · Hidden Window ✓T1564.004 · NTFS File Attributes ✓T1564.006 · Run Virtual Instance ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓T1574.005 · Executable Installer File Permissions Weakness ✓T1574.006 · Dynamic Linker Hijacking ✓T1574.007 · Path Interception by PATH Environment Variable ✓T1574.008 · Path Interception by Search Order Hijacking ✓T1574.009 · Path Interception by Unquoted Path ✓T1574.010 · Services File Permissions Weakness ✓T1574.011 · Services Registry Permissions Weakness ✓T1574.012 · COR_PROFILER ✓T1620 · Reflective Code Loading ✓T1622 · Debugger Evasion ✓

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin