Home/CVE-2017-8506/Sigma rules
Sigma

Sigma rules for CVE-2017-8506

15 rules · scoped to cve · back to CVE-2017-8506
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

15 of 15
direct high
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
status experimental author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) id fabb0e80-030c-4e3e-a104-d09676991ac3 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
      type: obsolete
status: experimental
description: |
    Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
    This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    product: windows
    category: file_event
detection:
    selection_extension:
        TargetFilename|endswith:
            - '.cpl'
            - '.hta'
            - '.iso'
            - '.rdp'
            - '.svg'
            - '.vba'
            - '.vbe'
            - '.vbs'
    selection_location:
        - TargetFilename|contains:
              - '\AppData\Local\Packages\Microsoft.Outlook_'
              - '\AppData\Local\Microsoft\Olk\Attachments\'
        - TargetFilename|contains|all:
              - '\AppData\Local\Microsoft\Windows\'
              - '\Content.Outlook\'
    condition: all of selection_*
falsepositives:
    - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
direct high
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
status test author Nasreddine Bencherchali (Nextron Systems) id 117d3d3a-755c-4a61-b23e-9171146d094c license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
    - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    filter:
        Image|endswith: '\outlook.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
direct high
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
status test author Tobias Michalski (Nextron Systems) id c3edc6a5-d9d4-48d8-930e-aab518390917 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Persistence Via Outlook Form
id: c3edc6a5-d9d4-48d8-930e-aab518390917
status: test
description: Detects the creation of a new Outlook form which can contain malicious code
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
    - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
    - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
author: Tobias Michalski (Nextron Systems)
date: 2021-06-10
modified: 2023-02-22
tags:
    - attack.persistence
    - attack.t1137.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|contains:
            - '\AppData\Local\Microsoft\FORMS\IPM'
            - '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
    condition: selection
falsepositives:
    - Legitimate use of outlook forms
level: high
direct high
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
status test author Florian Roth (Nextron Systems) id a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
    - Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\Temporary Internet Files\Content.Outlook\'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) id e212d415-0e93-435f-9e1a-f29005bb4723 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Remote Child Process From Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
related:
    - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
      type: similar
status: test
description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
references:
    - https://github.com/sensepost/ruler
    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\outlook.exe'
        Image|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
status test author Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team id 208748f7-881d-47ac-a29c-07ea84bf691d license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
    - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
      type: derived
    - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
      type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\OUTLOOK.EXE'
        Image|endswith:
            - '\AppVLP.exe'
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\forfiles.exe'
            - '\hh.exe'
            - '\mftrace.exe'
            - '\msbuild.exe'        # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
            - '\msdt.exe'           # CVE-2022-30190
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\schtasks.exe'
            - '\scrcons.exe'
            - '\scriptrunner.exe'
            - '\sh.exe'
            - '\svchost.exe'        # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
            - '\wmic.exe'           # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\wscript.exe'
            # Several FPs with rundll32.exe
            # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
            # - '\rundll32.exe'
            # filter_outlook_photoviewer:  # https://twitter.com/Luke_Hamp/status/1495919717760237568
            #   ParentImage|endswith: '\OUTLOOK.EXE'
            #   Image|endswith: '\rundll32.exe'
            #   CommandLine|contains: '\PhotoViewer.dll'
            # filter_outlook_printattachments:  # https://twitter.com/KickaKamil/status/1496238278659485696
            #   ParentImage|endswith: '\OUTLOOK.EXE'
            #   Image|endswith: '\rundll32.exe'
            #   CommandLine|contains|all:
            #     - 'shell32.dll,Control_RunDLL'
            #     - '\SYSTEM32\SPOOL\DRIVERS\'
    condition: selection # and not 1 of filter*
falsepositives:
    - Unknown
level: high
direct high
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) id 55f0a3a1-846e-40eb-8273-677371b8d912 license Sigma · DRL-1.1
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
status test author Nasreddine Bencherchali (Nextron Systems) id 396ae3eb-4174-4b9b-880e-dc0364d78a19 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
        Details|contains: '0x00000001'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Potential Persistence Via Outlook Today Page
Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
status test author Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand id 487bb375-12ef-41f6-baae-c6a1572b4dd1 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
      type: similar
status: test
description: |
    Detects potential persistence activity via outlook today page.
    An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains|all:
            - 'Software\Microsoft\Office\'
            - '\Outlook\Today\'
    selection_value_stamp:
        TargetObject|endswith: '\Stamp'
        Details: 'DWORD (0x00000001)'
    selection_value_url:
        TargetObject|endswith:
            - '\URL'
            - '\UserDefinedUrl'
    filter_main_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
direct high
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
status test author Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand id ddd171b5-2cc6-4975-9e78-f0eccd08cc76 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
    - id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
      type: similar
status: test
description: |
    Detects potential persistence activity via outlook home page.
    An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Microsoft\Office\'
            - '\Outlook\WebView\'
        TargetObject|endswith: '\URL'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
status test author @ScoubiMtl id e3b50fa5-3c3f-444e-937b-0a99d33731cd license Sigma · DRL-1.1
view Sigma YAML 
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
falsepositives:
    - Unlikely
level: high
direct high
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Nasreddine Bencherchali (Nextron Systems) id 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 license Sigma · DRL-1.1
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
      type: similar
    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
direct medium
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
status test author @ScoubiMtl id 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 license Sigma · DRL-1.1
view Sigma YAML 
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
    - id: 117d3d3a-755c-4a61-b23e-9171146d094c
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    condition: selection
falsepositives:
    - User genuinely creates a VB Macro for their email
level: medium
direct medium
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
status test author Nasreddine Bencherchali (Nextron Systems) id 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed license Sigma · DRL-1.1
view Sigma YAML 
title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        ImageLoaded|endswith: '\outlvba.dll'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: medium
direct medium
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
status test author frack113 id c3cefdf4-6703-4e1c-bad8-bf422fc5015a license Sigma · DRL-1.1
view Sigma YAML 
title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
      type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
    - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
author: frack113
date: 2021-12-28
modified: 2026-01-09
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Outlook\Security\'
    filter_main_outlook:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative activity
level: medium
Showing 1-15 of 15
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin