threatengine.sh Sigma export
backend: carbon_black (one .txt per rule, the rendered query)
rules: 3646

files:
  T1222.001_ad-object-writedac-access.txt  [T1222.001]  AD Object WriteDAC Access
  T1574.001_apt27-emissary-panda-activity.txt  [T1574.001]  APT27 - Emissary Panda Activity
  T1218.011_apt29-2018-phishing-campaign-commandline-indicators.txt  [T1218.011]  APT29 2018 Phishing Campaign CommandLine Indicators
  T1218.011_apt29-2018-phishing-campaign-file-indicators.txt  [T1218.011]  APT29 2018 Phishing Campaign File Indicators
  T1003.001_apt31-judgement-panda-activity.txt  [T1003.001,T1560.001]  APT31 Judgement Panda Activity
  T1003.006_active-directory-replication-from-non-machine-account.txt  [T1003.006]  Active Directory Replication from Non Machine Account
  T1203_antivirus-exploitation-framework-detection.txt  [T1203,T1219.002]  Antivirus Exploitation Framework Detection
  T1003_antivirus-password-dumper-detection.txt  [T1003,T1003.001,T1003.002,T1558]  Antivirus Password Dumper Detection
  T1055_antivirus-printernightmare-cve-2021-34527-exploit-detection.txt  [T1055]  Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
  T1486_antivirus-ransomware-detection.txt  [T1486]  Antivirus Ransomware Detection
  T1190_arcadyan-router-exploitations.txt  [T1190]  Arcadyan Router Exploitations
  T1068_audit-cve-event.txt  [T1068,T1203,T1210,T1211,T1212,T1499.004]  Audit CVE Event
  T1059.001_bad-opsec-powershell-code-artifacts.txt  [T1059.001]  Bad Opsec Powershell Code Artifacts
  T1586_bitbucket-unauthorized-access-to-a-resource.txt  [T1586]  Bitbucket Unauthorized Access To A Resource
  T1213.003_bitbucket-unauthorized-full-data-export-triggered.txt  [T1213.003,T1586]  Bitbucket Unauthorized Full Data Export Triggered
  coldsteel-rat-cleanup-command-execution.txt  []  COLDSTEEL RAT Cleanup Command Execution
  coldsteel-rat-service-persistence-execution.txt  []  COLDSTEEL RAT Service Persistence Execution
  T1190_cve-2010-5278-exploitation-attempt.txt  [T1190]  CVE-2010-5278 Exploitation Attempt
  T1190_cve-2020-0688-exchange-exploitation-via-web-log.txt  [T1190]  CVE-2020-0688 Exchange Exploitation via Web Log
  T1190_cve-2020-10148-solarwinds-orion-api-auth-bypass.txt  [T1190]  CVE-2020-10148 SolarWinds Orion API Auth Bypass
  T1190_cve-2020-5902-f5-big-ip-exploitation-attempt.txt  [T1190]  CVE-2020-5902 F5 BIG-IP Exploitation Attempt
  T1569_cve-2021-1675-print-spooler-exploitation.txt  [T1569]  CVE-2021-1675 Print Spooler Exploitation
  T1587_cve-2021-1675-print-spooler-exploitation-filename-pattern.txt  [T1587]  CVE-2021-1675 Print Spooler Exploitation Filename Pattern
  T1569_cve-2021-1675-print-spooler-exploitation-ipc-access.txt  [T1569]  CVE-2021-1675 Print Spooler Exploitation IPC Access
  T1203_cve-2021-31979-cve-2021-33771-exploits.txt  [T1203,T1566]  CVE-2021-31979 CVE-2021-33771 Exploits
  T1203_cve-2021-31979-cve-2021-33771-exploits-by-sourgum.txt  [T1203,T1566]  CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
  T1190_cve-2021-33766-exchange-proxytoken-exploitation.txt  [T1190]  CVE-2021-33766 Exchange ProxyToken Exploitation
  T1190_cve-2021-40539-zoho-manageengine-adselfservice-plus-exploit.txt  [T1190,T1505.003]  CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
  cve-2023-23397-exploitation-attempt.txt  []  CVE-2023-23397 Exploitation Attempt
  cve-2024-1708-screenconnect-path-traversal-exploitation-secu.txt  []  CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
  cve-2024-1709-screenconnect-authentication-bypass-exploitati.txt  []  CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
  T1505.003_certificate-request-export-to-exchange-webserver.txt  [T1505.003]  Certificate Request Export to Exchange Webserver
  T1190_citrix-ads-exploitation-cve-2020-8193-cve-2020-8195.txt  [T1190]  Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
  T1190_citrix-netscaler-attack-cve-2019-19781.txt  [T1190]  Citrix Netscaler Attack CVE-2019-19781
  T1071.004_cobalt-strike-dns-beaconing.txt  [T1071.004]  Cobalt Strike DNS Beaconing
  T1055_cobaltstrike-named-pipe.txt  [T1055]  CobaltStrike Named Pipe
  T1055_cobaltstrike-named-pipe-pattern-regex.txt  [T1055]  CobaltStrike Named Pipe Pattern Regex
  T1021.002_cobaltstrike-service-installations-system.txt  [T1021.002,T1543.003,T1569.002]  CobaltStrike Service Installations - System
  T1190_confluence-exploitation-cve-2019-3398.txt  [T1190]  Confluence Exploitation CVE-2019-3398
  T1543.003_cosmicduke-service-installation.txt  [T1543.003,T1569.002]  CosmicDuke Service Installation
  T1190_dns-rce-cve-2020-1350.txt  [T1190,T1569.002]  DNS RCE CVE-2020-1350
  T1204_darkside-ransomware-pattern.txt  [T1204]  DarkSide Ransomware Pattern
  diagtrackeop-default-login-username.txt  []  DiagTrackEoP Default Login Username
  T1053.005_diamond-sleet-apt-scheduled-task-creation.txt  [T1053.005]  Diamond Sleet APT Scheduled Task Creation
  T1203_droppers-exploiting-cve-2017-11882.txt  [T1203,T1204.002,T1566.001]  Droppers Exploiting CVE-2017-11882
  dumpstack-log-defender-evasion.txt  []  DumpStack.log Defender Evasion
  T1059.003_elise-backdoor-activity.txt  [T1059.003]  Elise Backdoor Activity
  T1218.011_equation-group-dll-u-export-function-load.txt  [T1218.011]  Equation Group DLL_U Export Function Load
  T1218.011_evilnum-apt-golden-chickens-deployment-via-ocx-files.txt  [T1218.011]  EvilNum APT Golden Chickens Deployment Via OCX Files
  T1190_exchange-exploitation-cve-2021-28480.txt  [T1190]  Exchange Exploitation CVE-2021-28480
  T1036.005_exploit-for-cve-2015-1641.txt  [T1036.005]  Exploit for CVE-2015-1641
  T1203_exploit-for-cve-2017-8759.txt  [T1203,T1204.002,T1566.001]  Exploit for CVE-2017-8759
  T1068_exploiting-cve-2019-1388.txt  [T1068]  Exploiting CVE-2019-1388
  T1112_flowcloud-registry-markers.txt  [T1112]  FlowCloud Registry Markers
  T1587_foggyweb-backdoor-dll-loading.txt  [T1587]  FoggyWeb Backdoor DLL Loading
  T1190_fortinet-cve-2018-13379-exploitation.txt  [T1190]  Fortinet CVE-2018-13379 Exploitation
  goofy-guineapig-backdoor-service-creation.txt  []  Goofy Guineapig Backdoor Service Creation
  T1190_grafana-path-traversal-exploitation-cve-2021-43798.txt  [T1190]  Grafana Path Traversal Exploitation CVE-2021-43798
  T1036.005_greenbug-espionage-group-indicators.txt  [T1036.005,T1059.001,T1105]  Greenbug Espionage Group Indicators
  griffon-malware-attack-pattern.txt  []  Griffon Malware Attack Pattern
  T1053_hafnium-exchange-exploitation-activity.txt  [T1053,T1546]  HAFNIUM Exchange Exploitation Activity
  T1071.001_hacktool-babyshark-agent-default-url-pattern.txt  [T1071.001]  HackTool - BabyShark Agent Default URL Pattern
  T1003.001_hacktool-credential-dumping-tools-named-pipe-created.txt  [T1003.001,T1003.002,T1003.004,T1003.005]  HackTool - Credential Dumping Tools Named Pipe Created
  T1055_hacktool-dinjector-powershell-cradle-execution.txt  [T1055]  HackTool - DInjector PowerShell Cradle Execution
  hacktool-diagtrackeop-default-named-pipe.txt  []  HackTool - DiagTrackEoP Default Named Pipe
  T1003.001_hacktool-dumpert-process-dumper-default-file.txt  [T1003.001]  HackTool - Dumpert Process Dumper Default File
  T1003.001_hacktool-dumpert-process-dumper-execution.txt  [T1003.001]  HackTool - Dumpert Process Dumper Execution
  T1548.002_hacktool-empire-powershell-uac-bypass.txt  [T1548.002]  HackTool - Empire PowerShell UAC Bypass
  T1218.011_hacktool-f-secure-c3-load-by-rundll32.txt  [T1218.011]  HackTool - F-Secure C3 Load by Rundll32
  T1003.001_hacktool-inveigh-execution.txt  [T1003.001]  HackTool - Inveigh Execution
  T1219.002_hacktool-inveigh-execution-artefacts.txt  [T1219.002]  HackTool - Inveigh Execution Artefacts
  T1134.001_hacktool-koh-default-named-pipe.txt  [T1134.001,T1528]  HackTool - Koh Default Named Pipe
  T1558_hacktool-mimikatz-kirbi-file-creation.txt  [T1558]  HackTool - Mimikatz Kirbi File Creation
  T1587_hacktool-purplesharp-execution.txt  [T1587]  HackTool - PurpleSharp Execution
  T1003.002_hacktool-quarkspwdump-dump-file.txt  [T1003.002]  HackTool - QuarksPwDump Dump File
  T1003_hacktool-rubeus-execution.txt  [T1003,T1550.003,T1558.003]  HackTool - Rubeus Execution
  T1003.001_hacktool-safetykatz-execution.txt  [T1003.001]  HackTool - SafetyKatz Execution
  T1555_hacktool-securityxploded-execution.txt  [T1555]  HackTool - SecurityXploded Execution
  T1569.002_hacktool-sharpup-privesc-tool-execution.txt  [T1569.002,T1574.005,T1615]  HackTool - SharpUp PrivEsc Tool Execution
  T1059_hacktool-sliver-c2-implant-activity-pattern.txt  [T1059]  HackTool - Sliver C2 Implant Activity Pattern
  T1068_hacktool-sysmoneop-execution.txt  [T1068]  HackTool - SysmonEOP Execution
  T1003.001_hacktool-windows-credential-editor-wce-execution.txt  [T1003.001]  HackTool - Windows Credential Editor (WCE) Execution
  T1003_hacktool-execution-imphash.txt  [T1003,T1588.002]  Hacktool Execution - Imphash
  T1068_installerfiletakeover-lpe-cve-2021-41379-file-create-event.txt  [T1068]  InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
  T1059_lazarus-group-activity.txt  [T1059]  Lazarus Group Activity
  T1547.001_leviathan-registry-key-activity.txt  [T1547.001]  Leviathan Registry Key Activity
  T1059.004_linux-reverse-shell-indicator.txt  [T1059.004]  Linux Reverse Shell Indicator
  T1486_lockergoga-ransomware-activity.txt  [T1486]  LockerGoga Ransomware Activity
  T1505.003_mailbox-export-to-exchange-webserver.txt  [T1505.003]  Mailbox Export to Exchange Webserver
  malicious-dll-load-by-compromised-3cxdesktopapp.txt  []  Malicious DLL Load By Compromised 3CXDesktopApp
  T1055_malicious-named-pipe-created.txt  [T1055]  Malicious Named Pipe Created
  mint-sandstorm-asperafaspex-suspicious-process-execution.txt  []  Mint Sandstorm - AsperaFaspex Suspicious Process Execution
  mint-sandstorm-manageengine-suspicious-process-execution.txt  []  Mint Sandstorm - ManageEngine Suspicious Process Execution
  T1543.003_moriya-rootkit-system.txt  [T1543.003]  Moriya Rootkit - System
  T1543.003_moriya-rootkit-file-created.txt  [T1543.003]  Moriya Rootkit File Created
  T1003.001_notpetya-ransomware-activity.txt  [T1003.001,T1218.011,T1685.005]  NotPetya Ransomware Activity
  T1190_owassrf-exploitation-attempt-using-public-poc-proxy.txt  [T1190]  OWASSRF Exploitation Attempt Using Public POC - Proxy
  T1190_owassrf-exploitation-attempt-using-public-poc-webserver.txt  [T1190]  OWASSRF Exploitation Attempt Using Public POC - Webserver
  T1112_oceanlotus-registry-activity.txt  [T1112]  OceanLotus Registry Activity
  T1053.005_oilrig-apt-activity.txt  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Activity
  T1053.005_oilrig-apt-registry-persistence.txt  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Registry Persistence
  T1053.005_oilrig-apt-schedule-task-persistence-security.txt  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Schedule Task Persistence - Security
  T1053.005_oilrig-apt-schedule-task-persistence-system.txt  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Schedule Task Persistence - System
  T1190_oracle-weblogic-exploit.txt  [T1190,T1505.003]  Oracle WebLogic Exploit
  T1190_oracle-weblogic-exploit-cve-2021-2109.txt  [T1190]  Oracle WebLogic Exploit CVE-2021-2109
  T1105_pandemic-registry-key.txt  [T1105]  Pandemic Registry Key
  T1546.008_persistence-via-sticky-key-backdoor.txt  [T1546.008]  Persistence Via Sticky Key Backdoor
  T1068_possible-coin-miner-cpu-priority-param.txt  [T1068]  Possible Coin Miner CPU Priority Param
  T1068_potential-cve-2021-41379-exploitation-attempt.txt  [T1068]  Potential CVE-2021-41379 Exploitation Attempt
  potential-cve-2023-36884-exploitation-pattern.txt  []  Potential CVE-2023-36884 Exploitation Pattern
  T1486_potential-conti-ransomware-activity.txt  [T1486]  Potential Conti Ransomware Activity
  T1003_potential-credential-dumping-via-lsass-process-clone.txt  [T1003,T1003.001]  Potential Credential Dumping Via LSASS Process Clone
  T1003.001_potential-credential-dumping-via-lsass-silentprocessexit-tec.txt  [T1003.001]  Potential Credential Dumping Via LSASS SilentProcessExit Technique
  T1021.002_potential-dcom-internetexplorer-application-dll-hijack.txt  [T1021.002,T1021.003]  Potential DCOM InternetExplorer.Application DLL Hijack
  T1021.002_potential-dcom-internetexplorer-application-dll-hijack-image.txt  [T1021.002,T1021.003]  Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
  T1033_potential-dridex-activity.txt  [T1033,T1055,T1135]  Potential Dridex Activity
  T1490_potential-dtrack-rat-activity.txt  [T1490]  Potential Dtrack RAT Activity
  T1218.011_potential-emotet-rundll32-execution.txt  [T1218.011]  Potential Emotet Rundll32 Execution
  T1047_potential-maze-ransomware-activity.txt  [T1047,T1204.002,T1490]  Potential Maze Ransomware Activity
  T1059.005_potential-qbot-activity.txt  [T1059.005]  Potential QBot Activity
  T1003.003_potential-russian-apt-credential-theft-activity.txt  [T1003.003,T1552.001]  Potential Russian APT Credential Theft Activity
  T1557.001_potential-smb-relay-attack-tool-execution.txt  [T1557.001]  Potential SMB Relay Attack Tool Execution
  T1190_potential-sharepoint-toolshell-cve-2025-53770-exploitation-f.txt  [T1190]  Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
  T1068_potential-systemnightmare-exploitation-attempt.txt  [T1068]  Potential SystemNightmare Exploitation Attempt
  T1204_printernightmare-mimikatz-driver-name.txt  [T1204]  PrinterNightmare Mimikatz Driver Name
  T1587.001_proxylogon-msexchange-oabvirtualdirectory.txt  [T1587.001]  ProxyLogon MSExchange OabVirtualDirectory
  T1190_proxylogon-reset-virtual-directories-based-on-iis-log.txt  [T1190]  ProxyLogon Reset Virtual Directories Based On IIS Log
  T1190_pulse-secure-attack-cve-2019-11510.txt  [T1190]  Pulse Secure Attack CVE-2019-11510
  T1071.001_pwndrp-access.txt  [T1071.001,T1102.001,T1102.003]  PwnDrp Access
  qakbot-rundll32-exports-execution.txt  []  Qakbot Rundll32 Exports Execution
  qakbot-rundll32-fake-dll-extension-execution.txt  []  Qakbot Rundll32 Fake DLL Extension Execution
  T1059_revil-kaseya-incident-malware-patterns.txt  [T1059]  REvil Kaseya Incident Malware Patterns
  T1055_redsun-named-pipe-created.txt  [T1055,T1685]  RedSun - Named Pipe Created
  T1036.005_redsun-tieringengineservice-exe-detected-as-eicar-test-file.txt  [T1036.005,T1055,T1685]  RedSun - TieringEngineService.exe Detected as EICAR Test File
  T1036.005_redsun-tieringengineservice-exe-staged-in-rs-prefixed-temp-d.txt  [T1036.005]  RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
  T1112_registry-entries-for-azorult-malware.txt  [T1112]  Registry Entries For Azorult Malware
  T1033_renamed-whoami-execution.txt  [T1033]  Renamed Whoami Execution
  T1059.001_rorschach-ransomware-execution-activity.txt  [T1059.001,T1059.003]  Rorschach Ransomware Execution Activity
  snake-malware-kernel-driver-file-indicator.txt  []  SNAKE Malware Kernel Driver File Indicator
  snake-malware-service-persistence.txt  []  SNAKE Malware Service Persistence
  T1136.001_serv-u-exploitation-cve-2021-35211-by-dev-0322.txt  [T1136.001]  Serv-U Exploitation CVE-2021-35211 by DEV-0322
  T1059.001_silence-eda-detection.txt  [T1059.001,T1071.004,T1529,T1572]  Silence.EDA Detection
  small-sieve-malware-potential-c2-communication.txt  []  Small Sieve Malware Potential C2 Communication
  T1505.003_solarwinds-supernova-webshell-access.txt  [T1505.003]  Solarwinds SUPERNOVA Webshell Access
  T1546.008_sticky-key-like-backdoor-execution.txt  [T1546.008]  Sticky Key Like Backdoor Execution
  T1546.008_sticky-key-like-backdoor-usage-registry.txt  [T1546.008]  Sticky Key Like Backdoor Usage - Registry
  successful-exchange-proxyshell-attack.txt  []  Successful Exchange ProxyShell Attack
  T1068_sudo-privilege-escalation-cve-2019-14287-builtin.txt  [T1068,T1548.003]  Sudo Privilege Escalation CVE-2019-14287 - Builtin
  suspicious-child-process-of-veeam-dabatase.txt  []  Suspicious Child Process Of Veeam Dabatase
  T1071.004_suspicious-cobalt-strike-dns-beaconing-dns-client.txt  [T1071.004]  Suspicious Cobalt Strike DNS Beaconing - DNS Client
  T1071.004_suspicious-cobalt-strike-dns-beaconing-sysmon.txt  [T1071.004]  Suspicious Cobalt Strike DNS Beaconing - Sysmon
  suspicious-powershell-mailbox-export-to-share.txt  []  Suspicious PowerShell Mailbox Export to Share
  suspicious-powershell-mailbox-export-to-share-ps.txt  []  Suspicious PowerShell Mailbox Export to Share - PS
  T1548.002_trustedpath-uac-bypass-pattern.txt  [T1548.002]  TrustedPath UAC Bypass Pattern
  T1027_turla-group-commands-may-2020.txt  [T1027,T1053.005,T1059.001]  Turla Group Commands May 2020
  T1021.002_turla-group-lateral-movement.txt  [T1021.002,T1059,T1083,T1135]  Turla Group Lateral Movement
  T1106_turla-group-named-pipes.txt  [T1106]  Turla Group Named Pipes
  T1543.003_turla-png-dropper-service.txt  [T1543.003]  Turla PNG Dropper Service
  T1047_unc2452-powershell-pattern.txt  [T1047,T1059.001]  UNC2452 PowerShell Pattern
  unc4841-potential-seaspy-execution.txt  []  UNC4841 - Potential SEASPY Execution
  T1071.001_ursnif-malware-c2-url-pattern.txt  [T1071.001,T1204.002,T1566.001]  Ursnif Malware C2 URL Pattern
  T1003_wce-wceaux-dll-access.txt  [T1003]  WCE wceaux.dll Access
  T1546.003_wmi-backdoor-exchange-transport-agent.txt  [T1546.003]  WMI Backdoor Exchange Transport Agent
  T1083_wannacry-ransomware-activity.txt  [T1083,T1210,T1222.001,T1486,T1490]  WannaCry Ransomware Activity
  T1505.003_webshell-remote-command-execution.txt  [T1505.003]  Webshell Remote Command Execution
  T1078_win-susp-computer-name-containing-samtheadmin.txt  [T1078]  Win Susp Computer Name Containing Samtheadmin
  T1003.001_windows-credential-editor-registry.txt  [T1003.001]  Windows Credential Editor Registry
  T1574.001_winnti-malware-hk-university-campaign.txt  [T1574.001]  Winnti Malware HK University Campaign
  T1574.001_winnti-pipemon-characteristics.txt  [T1574.001]  Winnti Pipemon Characteristics
  T1047_wmiexec-default-output-file.txt  [T1047]  Wmiexec Default Output File
  T1021.002_wmiprvse-wbemcomn-dll-hijack-file.txt  [T1021.002,T1047]  Wmiprvse Wbemcomn DLL Hijack - File
  T1210_zerologon-exploitation-using-well-known-tools.txt  [T1210]  Zerologon Exploitation Using Well-known Tools
  T1059.003_zxshell-malware.txt  [T1059.003,T1218.011]  ZxShell Malware
  rdp-file-created-by-uncommon-application.txt  []  .RDP File Created By Uncommon Application
  aadinternals-powershell-cmdlets-execution-proccesscreation.txt  []  AADInternals PowerShell Cmdlets Execution - ProccessCreation
  aadinternals-powershell-cmdlets-execution-psscript.txt  []  AADInternals PowerShell Cmdlets Execution - PsScript
  T1087.002_ad-privileged-users-or-groups-reconnaissance.txt  [T1087.002]  AD Privileged Users or Groups Reconnaissance
  adcs-certificate-template-configuration-vulnerability-with-r.txt  []  ADCS Certificate Template Configuration Vulnerability with Risky EKU
  T1190_adselfservice-exploitation.txt  [T1190]  ADSelfService Exploitation
  T1685_amsi-bypass-pattern-assembly-gettype.txt  [T1685]  AMSI Bypass Pattern Assembly GetType
  T1685_amsi-disabled-via-registry-modification.txt  [T1685]  AMSI Disabled via Registry Modification
  T1055_apt-privatelog-image-load-pattern.txt  [T1055]  APT PRIVATELOG Image Load Pattern
  T1071.001_apt-user-agent.txt  [T1071.001]  APT User Agent
  T1071.001_apt40-dropbox-tool-user-agent.txt  [T1071.001,T1567.002]  APT40 Dropbox Tool User Agent
  T1055.009_aslr-disabled-via-sysctl-or-direct-syscall-linux.txt  [T1055.009,T1685]  ASLR Disabled Via Sysctl or Direct Syscall - Linux
  T1685.002_aws-config-disabling-channel-recorder.txt  [T1685.002]  AWS Config Disabling Channel/Recorder
  T1059.001_aws-ec2-startup-shell-script-change.txt  [T1059.001,T1059.003,T1059.004]  AWS EC2 Startup Shell Script Change
  T1685_aws-guardduty-important-change.txt  [T1685]  AWS GuardDuty Important Change
  T1059.009_aws-iam-s3browser-loginprofile-creation.txt  [T1059.009,T1078.004]  AWS IAM S3Browser LoginProfile Creation
  T1059.009_aws-iam-s3browser-templated-s3-bucket-policy-creation.txt  [T1059.009,T1078.004]  AWS IAM S3Browser Templated S3 Bucket Policy Creation
  T1059.009_aws-iam-s3browser-user-or-accesskey-creation.txt  [T1059.009,T1078.004]  AWS IAM S3Browser User or AccessKey Creation
  T1556_aws-identity-center-identity-provider-change.txt  [T1556]  AWS Identity Center Identity Provider Change
  T1486_aws-kms-imported-key-material-usage.txt  [T1486,T1608.003]  AWS KMS Imported Key Material Usage
  T1685_aws-securityhub-findings-evasion.txt  [T1685]  AWS SecurityHub Findings Evasion
  T1059_abusable-dll-potential-sideloading-from-suspicious-location.txt  [T1059]  Abusable DLL Potential Sideloading From Suspicious Location
  T1574.011_abuse-of-service-permissions-to-hide-services-via-set-servic.txt  [T1574.011]  Abuse of Service Permissions to Hide Services Via Set-Service
  T1574.011_abuse-of-service-permissions-to-hide-services-via-set-servic_2.txt  [T1574.011]  Abuse of Service Permissions to Hide Services Via Set-Service - PS
  T1548_abused-debug-privilege-by-arbitrary-parent-processes.txt  [T1548]  Abused Debug Privilege by Arbitrary Parent Processes
  T1078_account-created-and-deleted-within-a-close-time-frame.txt  [T1078]  Account Created And Deleted Within A Close Time Frame
  T1078_activity-from-anonymous-ip-address.txt  [T1078]  Activity From Anonymous IP Address
  add-debugger-entry-to-hangs-key-for-persistence.txt  []  Add Debugger Entry To Hangs Key For Persistence
  T1059_add-insecure-download-source-to-winget.txt  [T1059]  Add Insecure Download Source To Winget
  T1685_add-safeboot-keys-via-reg-utility.txt  [T1685]  Add SafeBoot Keys Via Reg Utility
  T1098.001_added-credentials-to-existing-application.txt  [T1098.001]  Added Credentials to Existing Application
  T1059.005_adwind-rat-jrat.txt  [T1059.005,T1059.007]  Adwind RAT / JRAT
  T1059.005_adwind-rat-jrat-file-artifact.txt  [T1059.005,T1059.007]  Adwind RAT / JRAT File Artifact
  T1490_all-backups-deleted-via-wbadmin-exe.txt  [T1490]  All Backups Deleted Via Wbadmin.EXE
  T1686.003_all-rules-have-been-deleted-from-the-windows-firewall-config.txt  [T1686.003]  All Rules Have Been Deleted From The Windows Firewall Configuration
  T1543.003_allow-service-access-using-security-descriptor-tampering-via.txt  [T1543.003]  Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
  T1528_anomalous-token.txt  [T1528]  Anomalous Token
  T1098_anomalous-user-activity.txt  [T1098]  Anomalous User Activity
  T1528_anonymous-ip-address.txt  [T1528]  Anonymous IP Address
  T1685_antivirus-filter-driver-disallowed-on-dev-drive-registry.txt  [T1685]  Antivirus Filter Driver Disallowed On Dev Drive - Registry
  T1204_antivirus-hacktool-detection.txt  [T1204]  Antivirus Hacktool Detection
  T1588_antivirus-relevant-file-paths-alerts.txt  [T1588]  Antivirus Relevant File Paths Alerts
  T1505.003_antivirus-web-shell-detection.txt  [T1505.003]  Antivirus Web Shell Detection
  T1499.004_apache-segmentation-fault.txt  [T1499.004]  Apache Segmentation Fault
  T1190_apache-spark-shell-command-injection-processcreation.txt  [T1190]  Apache Spark Shell Command Injection - ProcessCreation
  T1190_apache-spark-shell-command-injection-weblogs.txt  [T1190]  Apache Spark Shell Command Injection - Weblogs
  T1528_app-granted-microsoft-permissions.txt  [T1528]  App Granted Microsoft Permissions
  T1098.003_app-granted-privileged-delegated-or-app-permissions.txt  [T1098.003]  App Granted Privileged Delegated Or App Permissions
  appx-located-in-known-staging-directory-added-to-deployment.txt  []  AppX Located in Known Staging Directory Added to Deployment Pipeline
  T1078.004_application-appid-uri-configuration-changes.txt  [T1078.004,T1552]  Application AppID Uri Configuration Changes
  T1078.004_application-uri-configuration-changes.txt  [T1078.004,T1528]  Application URI Configuration Changes
  T1218_arbitrary-file-download-via-imewdbld-exe.txt  [T1218]  Arbitrary File Download Via IMEWDBLD.EXE
  T1574.001_aruba-network-service-potential-dll-sideloading.txt  [T1574.001]  Aruba Network Service Potential DLL Sideloading
  T1219.002_atera-agent-installation.txt  [T1219.002]  Atera Agent Installation
  T1190_atlassian-bitbucket-command-injection-via-archive-api.txt  [T1190]  Atlassian Bitbucket Command Injection Via Archive API
  T1059_atlassian-confluence-cve-2022-26134.txt  [T1059,T1190]  Atlassian Confluence CVE-2022-26134
  T1059.002_atomic-macos-stealer-filegrabber-activity.txt  [T1059.002]  Atomic MacOS Stealer - FileGrabber Activity
  T1543.004_atomic-macos-stealer-persistence-indicators.txt  [T1543.004,T1564.001]  Atomic MacOS Stealer - Persistence Indicators
  T1187_attempts-of-kerberos-coercion-via-dns-spn-spoofing.txt  [T1187,T1557.001]  Attempts of Kerberos Coercion Via DNS SPN Spoofing
  T1078_atypical-travel.txt  [T1078]  Atypical Travel
  T1685.001_audit-policy-tampering-via-auditpol.txt  [T1685.001]  Audit Policy Tampering Via Auditpol
  T1685.001_audit-policy-tampering-via-nt-resource-kit-auditpol.txt  [T1685.001]  Audit Policy Tampering Via NT Resource Kit Auditpol
  T1685.004_audit-rules-deleted-via-auditctl.txt  [T1685.004]  Audit Rules Deleted Via Auditctl
  T1685_auditing-configuration-changes-on-linux-host.txt  [T1685]  Auditing Configuration Changes on Linux Host
  T1105_axios-npm-compromise-file-creation-indicators-linux.txt  [T1105,T1195.002]  Axios NPM Compromise File Creation Indicators - Linux
  T1105_axios-npm-compromise-file-creation-indicators-macos.txt  [T1105,T1195.002]  Axios NPM Compromise File Creation Indicators - MacOS
  T1195.002_axios-npm-compromise-file-creation-indicators-windows.txt  [T1195.002]  Axios NPM Compromise File Creation Indicators - Windows
  T1059.004_axios-npm-compromise-indicators-linux.txt  [T1059.004,T1059.006,T1105,T1195.002]  Axios NPM Compromise Indicators - Linux
  T1059.003_axios-npm-compromise-indicators-windows.txt  [T1059.003,T1059.005,T1105,T1195.002]  Axios NPM Compromise Indicators - Windows
  T1059.002_axios-npm-compromise-indicators-macos.txt  [T1059.002,T1059.004,T1105,T1195.002]  Axios NPM Compromise Indicators - macOS
  T1071.001_axios-npm-compromise-malicious-c2-domain-dns-query.txt  [T1071.001,T1568]  Axios NPM Compromise Malicious C2 Domain DNS Query
  T1589_azure-ad-account-credential-leaked.txt  [T1589]  Azure AD Account Credential Leaked
  T1078_azure-ad-threat-intelligence.txt  [T1078]  Azure AD Threat Intelligence
  T1078_azure-login-bypassing-conditional-access-policies.txt  [T1078]  Azure Login Bypassing Conditional Access Policies
  T1078.004_azure-subscription-permission-elevation-via-activitylogs.txt  [T1078.004]  Azure Subscription Permission Elevation Via ActivityLogs
  T1078_azure-subscription-permission-elevation-via-auditlogs.txt  [T1078]  Azure Subscription Permission Elevation Via AuditLogs
  T1197_bits-transfer-job-download-from-direct-ip.txt  [T1197]  BITS Transfer Job Download From Direct IP
  T1197_bits-transfer-job-download-from-file-sharing-domains.txt  [T1197]  BITS Transfer Job Download From File Sharing Domains
  T1197_bits-transfer-job-download-to-potential-suspicious-folder.txt  [T1197]  BITS Transfer Job Download To Potential Suspicious Folder
  T1059_bpfdoor-abnormal-process-id-or-lock-file-accessed.txt  [T1059,T1106]  BPFDoor Abnormal Process ID or Lock File Accessed
  T1021.003_baaupdate-exe-suspicious-dll-load.txt  [T1021.003,T1218]  BaaUpdate.exe Suspicious DLL Load
  T1218.011_bad-opsec-defaults-sacrificial-processes-with-improper-argum.txt  [T1218.011]  Bad Opsec Defaults Sacrificial Processes With Improper Arguments
  T1027_base64-encoded-powershell-command-detected.txt  [T1027,T1059.001,T1140]  Base64 Encoded PowerShell Command Detected
  base64-mz-header-in-commandline.txt  []  Base64 MZ Header In CommandLine
  T1027.001_binary-padding-linux.txt  [T1027.001]  Binary Padding - Linux
  T1027.001_binary-padding-macos.txt  [T1027.001]  Binary Padding - MacOS
  T1213.003_bitbucket-full-data-export-triggered.txt  [T1213.003]  Bitbucket Full Data Export Triggered
  T1685_bitbucket-secret-scanning-exempt-repository-added.txt  [T1685]  Bitbucket Secret Scanning Exempt Repository Added
  T1071.001_bitsadmin-to-uncommon-ip-server-address.txt  [T1071.001,T1197]  Bitsadmin to Uncommon IP Server Address
  T1071.001_bitsadmin-to-uncommon-tld.txt  [T1071.001,T1197]  Bitsadmin to Uncommon TLD
  T1112_blackbyte-ransomware-registry.txt  [T1112]  Blackbyte Ransomware Registry
  T1059.001_bloodhound-collection-files.txt  [T1059.001,T1069.001,T1069.002,T1087.001,T1087.002,T1482]  BloodHound Collection Files
  T1047_blue-mockingbird.txt  [T1047,T1112]  Blue Mockingbird
  T1047_blue-mockingbird-registry.txt  [T1047,T1112]  Blue Mockingbird - Registry
  T1486_bluesky-ransomware-artefacts.txt  [T1486]  BlueSky Ransomware Artefacts
  T1490_boot-configuration-tampering-via-bcdedit-exe.txt  [T1490]  Boot Configuration Tampering Via Bcdedit.EXE
  T1068_buffer-overflow-attempts.txt  [T1068]  Buffer Overflow Attempts
  T1098_bulk-deletion-changes-to-privileged-account-permissions.txt  [T1098]  Bulk Deletion Changes To Privileged Account Permissions
  T1548.002_bypass-uac-using-delegateexecute.txt  [T1548.002]  Bypass UAC Using DelegateExecute
  T1547.010_bypass-uac-using-event-viewer.txt  [T1547.010]  Bypass UAC Using Event Viewer
  T1548.002_bypass-uac-using-silentcleanup-task.txt  [T1548.002]  Bypass UAC Using SilentCleanup Task
  T1218.003_bypass-uac-via-cmstp.txt  [T1218.003,T1548.002]  Bypass UAC via CMSTP
  T1548.002_bypass-uac-via-fodhelper-exe.txt  [T1548.002]  Bypass UAC via Fodhelper.exe
  T1548.002_bypass-uac-via-wsreset-exe.txt  [T1548.002]  Bypass UAC via WSReset.exe
  T1218.003_cmstp-execution-process-access.txt  [T1218.003,T1559.001]  CMSTP Execution Process Access
  T1218.003_cmstp-execution-process-creation.txt  [T1218.003]  CMSTP Execution Process Creation
  T1218.003_cmstp-execution-registry-event.txt  [T1218.003]  CMSTP Execution Registry Event
  T1218.003_cmstp-uac-bypass-via-com-object-access.txt  [T1218.003,T1548.002]  CMSTP UAC Bypass via COM Object Access
  coldsteel-persistence-service-creation.txt  []  COLDSTEEL Persistence Service Creation
  coldsteel-rat-anonymous-user-process-execution.txt  []  COLDSTEEL RAT Anonymous User Process Execution
  T1546_com-hijack-via-sdclt.txt  [T1546,T1548]  COM Hijack via Sdclt
  T1546.015_com-object-hijacking-via-modification-of-default-system-clsi.txt  [T1546.015]  COM Object Hijacking Via Modification Of Default System CLSID Default Value
  T1190_cve-2020-0688-exploitation-attempt.txt  [T1190]  CVE-2020-0688 Exploitation Attempt
  T1190_cve-2020-0688-exploitation-via-eventlog.txt  [T1190]  CVE-2020-0688 Exploitation via Eventlog
  T1112_cve-2020-1048-exploitation-attempt-suspicious-new-printer-po.txt  [T1112]  CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
  T1190_cve-2021-21972-vsphere-exploitation.txt  [T1190]  CVE-2021-21972 VSphere Exploitation
  T1190_cve-2021-21978-exploitation-attempt.txt  [T1190]  CVE-2021-21978 Exploitation Attempt
  T1203_cve-2021-26858-exchange-exploitation.txt  [T1203]  CVE-2021-26858 Exchange Exploitation
  T1190_cve-2021-41773-exploitation-attempt.txt  [T1190]  CVE-2021-41773 Exploitation Attempt
  cve-2021-44077-poc-default-dropped-file.txt  []  CVE-2021-44077 POC Default Dropped File
  T1059.001_cve-2022-24527-microsoft-connected-cache-lpe.txt  [T1059.001]  CVE-2022-24527 Microsoft Connected Cache LPE
  T1190_cve-2022-31656-vmware-workspace-one-access-auth-bypass.txt  [T1190]  CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
  T1059_cve-2023-22518-exploitation-attempt-suspicious-confluence-ch.txt  [T1059,T1190]  CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
  cve-2023-38331-exploitation-attempt-suspicious-double-extens.txt  []  CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
  T1203_cve-2023-38331-exploitation-attempt-suspicious-winrar-child.txt  [T1203]  CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
  T1190_cve-2023-46747-exploitation-activity-proxy.txt  [T1190]  CVE-2023-46747 Exploitation Activity - Proxy
  T1190_cve-2023-46747-exploitation-activity-webserver.txt  [T1190]  CVE-2023-46747 Exploitation Activity - Webserver
  T1190_cve-2023-4966-exploitation-attempt-citrix-adc-sensitive-info.txt  [T1190]  CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  T1190_cve-2023-4966-exploitation-attempt-citrix-adc-sensitive-info_2.txt  [T1190]  CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  cve-2024-1212-exploitation-progress-kemp-loadmaster-unauthen.txt  []  CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
  T1499_cve-2024-49113-exploitation-attempt-ldap-nightmare.txt  [T1499]  CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
  T1190_cve-2024-50623-exploitation-attempt-cleo.txt  [T1190]  CVE-2024-50623 Exploitation Attempt - Cleo
  cab-file-extraction-via-wusa-exe-from-potentially-suspicious.txt  []  Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
  T1059_capsh-shell-invocation-linux.txt  [T1059]  Capsh Shell Invocation - Linux
  T1071.001_chafer-malware-url-pattern.txt  [T1071.001]  Chafer Malware URL Pattern
  T1546.001_change-default-file-association-to-executable-via-assoc.txt  [T1546.001]  Change Default File Association To Executable Via Assoc
  T1112_change-user-account-associated-with-the-fax-service.txt  [T1112]  Change User Account Associated with the FAX Service
  T1685.001_change-winevt-channel-access-permission-via-registry.txt  [T1685.001]  Change Winevt Channel Access Permission Via Registry
  T1112_change-the-fax-dll.txt  [T1112]  Change the Fax Dll
  T1078.004_changes-to-pim-settings.txt  [T1078.004]  Changes To PIM Settings
  T1484_changes-to-device-registration-policy.txt  [T1484]  Changes to Device Registration Policy
  T1018_chopper-webshell-process-pattern.txt  [T1018,T1033,T1087,T1505.003]  Chopper Webshell Process Pattern
  T1053.005_chromeloader-malware-execution.txt  [T1053.005,T1059.001,T1176]  ChromeLoader Malware Execution
  chromium-browser-headless-execution-to-mockbin-like-site.txt  []  Chromium Browser Headless Execution To Mockbin Like Site
  T1190_cisco-asa-exploitation-activity-proxy.txt  [T1190]  Cisco ASA Exploitation Activity - Proxy
  T1190_cisco-asa-ftd-exploit-cve-2020-3452.txt  [T1190]  Cisco ASA FTD Exploit CVE-2020-3452
  T1070.003_cisco-clear-logs.txt  [T1070.003]  Cisco Clear Logs
  T1552.004_cisco-crypto-commands.txt  [T1552.004,T1553.004]  Cisco Crypto Commands
  T1685_cisco-disabling-logging.txt  [T1685]  Cisco Disabling Logging
  T1098_cisco-local-accounts.txt  [T1098,T1136.001]  Cisco Local Accounts
  T1070_clearing-windows-console-history.txt  [T1070,T1070.003]  Clearing Windows Console History
  T1059.001_cmd-exe-missing-space-characters-execution-anomaly.txt  [T1059.001]  Cmd.EXE Missing Space Characters Execution Anomaly
  T1218.011_cobaltstrike-load-by-rundll32.txt  [T1218.011]  CobaltStrike Load by Rundll32
  T1055_cobaltstrike-named-pipe-patterns.txt  [T1055]  CobaltStrike Named Pipe Patterns
  T1021.002_cobaltstrike-service-installations-security.txt  [T1021.002,T1543.003,T1569.002]  CobaltStrike Service Installations - Security
  T1137.006_code-executed-via-office-add-in-xll-file.txt  [T1137.006]  Code Executed Via Office Add-in XLL File
  T1574.006_code-injection-by-ld-so-preload.txt  [T1574.006]  Code Injection by ld.so Preload
  T1543_codeintegrity-blocked-driver-load-with-revoked-certificate.txt  [T1543]  CodeIntegrity - Blocked Driver Load With Revoked Certificate
  codeintegrity-blocked-image-load-with-revoked-certificate.txt  []  CodeIntegrity - Blocked Image Load With Revoked Certificate
  T1543_codeintegrity-blocked-image-driver-load-for-policy-violation.txt  [T1543]  CodeIntegrity - Blocked Image/Driver Load For Policy Violation
  codeintegrity-disallowed-file-for-protected-processes-has-be.txt  []  CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
  codeintegrity-revoked-image-loaded.txt  []  CodeIntegrity - Revoked Image Loaded
  codeintegrity-revoked-kernel-driver-loaded.txt  []  CodeIntegrity - Revoked Kernel Driver Loaded
  codeintegrity-unmet-whql-requirements-for-loaded-kernel-modu.txt  []  CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
  codeintegrity-unsigned-image-loaded.txt  []  CodeIntegrity - Unsigned Image Loaded
  codeintegrity-unsigned-kernel-module-loaded.txt  []  CodeIntegrity - Unsigned Kernel Module Loaded
  T1071.001_comrat-network-communication.txt  [T1071.001]  ComRAT Network Communication
  T1565.001_commands-to-clear-or-remove-the-syslog-builtin.txt  [T1565.001]  Commands to Clear or Remove the Syslog - Builtin
  T1090_communication-to-localtonet-tunneling-service-initiated.txt  [T1090,T1102,T1572]  Communication To LocaltoNet Tunneling Service Initiated
  T1090_communication-to-localtonet-tunneling-service-initiated-linu.txt  [T1090,T1102,T1572]  Communication To LocaltoNet Tunneling Service Initiated - Linux
  T1090_communication-to-ngrok-tunneling-service-linux.txt  [T1090,T1102,T1567,T1568.002,T1572]  Communication To Ngrok Tunneling Service - Linux
  T1090_communication-to-ngrok-tunneling-service-initiated.txt  [T1090,T1102,T1567,T1568.002,T1572]  Communication To Ngrok Tunneling Service Initiated
  T1190_commvault-qlogin-argument-injection-authentication-bypass-cv.txt  [T1190]  Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
  T1505.003_commvault-qoperation-path-traversal-webshell-drop-cve-2025-5.txt  [T1505.003]  Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
  T1059.003_conhost-exe-commandline-path-traversal.txt  [T1059.003]  Conhost.exe CommandLine Path Traversal
  T1560_conti-ntds-exfiltration-command.txt  [T1560]  Conti NTDS Exfiltration Command
  T1587.001_conti-volume-shadow-listing.txt  [T1587.001]  Conti Volume Shadow Listing
  T1218.002_control-panel-items.txt  [T1218.002,T1546]  Control Panel Items
  copy-dmp-dump-files-from-remote-share-via-cmd-exe.txt  []  Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
  T1490_copy-from-volumeshadowcopy-via-cmd-exe.txt  [T1490]  Copy From VolumeShadowCopy Via Cmd.EXE
  T1552.001_copy-passwd-or-shadow-from-tmp-path.txt  [T1552.001]  Copy Passwd Or Shadow From TMP Path
  T1003.002_copying-sensitive-files-with-credential-data.txt  [T1003.002,T1003.003]  Copying Sensitive Files with Credential Data
  T1003.003_create-volume-shadow-copy-with-powershell.txt  [T1003.003]  Create Volume Shadow Copy with Powershell
  T1003.001_createdump-process-dump.txt  [T1003.001,T1036]  CreateDump Process Dump
  T1547.009_creation-exe-for-service-with-unquoted-path.txt  [T1547.009]  Creation Exe for Service with Unquoted Path
  T1136.001_creation-of-a-local-hidden-user-account-by-registry.txt  [T1136.001]  Creation of a Local Hidden User Account by Registry
  T1003.001_cred-dump-tools-dropped-files.txt  [T1003.001,T1003.002,T1003.003,T1003.004,T1003.005]  Cred Dump Tools Dropped Files
  T1003.001_credential-dumping-activity-by-python-based-tool.txt  [T1003.001]  Credential Dumping Activity By Python Based Tool
  T1548_credential-dumping-attempt-via-svchost.txt  [T1548]  Credential Dumping Attempt Via Svchost
  T1003.001_credential-dumping-attempt-via-werfault.txt  [T1003.001]  Credential Dumping Attempt Via WerFault
  T1003.001_credential-dumping-tools-service-execution-security.txt  [T1003.001,T1003.002,T1003.004,T1003.005,T1003.006,T1569.002]  Credential Dumping Tools Service Execution - Security
  T1003.001_credential-dumping-tools-service-execution-system.txt  [T1003.001,T1003.002,T1003.004,T1003.005,T1003.006,T1569.002]  Credential Dumping Tools Service Execution - System
  T1552.001_credentials-in-files.txt  [T1552.001]  Credentials In Files
  T1552.001_credentials-in-files-linux.txt  [T1552.001]  Credentials In Files - Linux
  T1003.002_critical-hive-in-suspicious-location-access-bits-cleared.txt  [T1003.002]  Critical Hive In Suspicious Location Access Bits Cleared
  T1189_cross-site-scripting-strings.txt  [T1189]  Cross Site Scripting Strings
  T1071.001_crypto-miner-user-agent.txt  [T1071.001]  Crypto Miner User Agent
  T1027.004_csc-exe-execution-form-potentially-suspicious-parent.txt  [T1027.004,T1059.005,T1059.007,T1218.005]  Csc.EXE Execution Form Potentially Suspicious Parent
  T1059.005_cscript-wscript-uncommon-script-extension-execution.txt  [T1059.005,T1059.007]  Cscript/Wscript Uncommon Script Extension Execution
  T1105_curl-download-and-execute-combination.txt  [T1105,T1218]  Curl Download And Execute Combination
  T1202_custom-file-open-handler-executes-powershell.txt  [T1202]  Custom File Open Handler Executes PowerShell
  T1021.002_dcom-internetexplorer-application-iertutil-dll-hijack-securi.txt  [T1021.002,T1021.003]  DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
  T1505.003_dewmode-webshell-access.txt  [T1505.003]  DEWMODE Webshell Access
  T1112_dhcp-callout-dll-installation.txt  [T1112,T1574.001]  DHCP Callout DLL Installation
  T1574.001_dhcp-server-error-failed-loading-the-callout-dll.txt  [T1574.001]  DHCP Server Error Failed Loading the CallOut DLL
  T1574.001_dhcp-server-loaded-the-callout-dll.txt  [T1574.001]  DHCP Server Loaded the CallOut DLL
  T1547.008_dll-load-via-lsass.txt  [T1547.008]  DLL Load via LSASS
  T1218.003_dll-loaded-from-suspicious-location-via-cmspt-exe.txt  [T1218.003]  DLL Loaded From Suspicious Location Via Cmspt.EXE
  T1574.001_dll-search-order-hijackig-via-additional-space-in-path.txt  [T1574.001]  DLL Search Order Hijackig Via Additional Space in Path
  T1574.001_dll-sideloading-of-shellchromeapi-dll.txt  [T1574.001]  DLL Sideloading Of ShellChromeAPI.DLL
  T1574.001_dll-sideloading-by-vmware-xfer-utility.txt  [T1574.001]  DLL Sideloading by VMware Xfer Utility
  T1048.001_dns-exfiltration-and-tunneling-tools-execution.txt  [T1048.001,T1071.004,T1132.001]  DNS Exfiltration and Tunneling Tools Execution
  T1554_dns-hybridconnectionmanager-service-bus.txt  [T1554]  DNS HybridConnectionManager Service Bus
  T1071.004_dns-query-to-katz-stealer-domains.txt  [T1071.004]  DNS Query To Katz Stealer Domains
  T1071.004_dns-query-to-katz-stealer-domains-network.txt  [T1071.004]  DNS Query To Katz Stealer Domains - Network
  T1090.003_dns-query-tor-onion-address-sysmon.txt  [T1090.003]  DNS Query Tor .Onion Address - Sysmon
  T1059.003_dns-query-by-finger-utility.txt  [T1059.003,T1071.004]  DNS Query by Finger Utility
  T1567.002_dns-query-for-anonfiles-com-domain-dns-client.txt  [T1567.002]  DNS Query for Anonfiles.com Domain - DNS Client
  T1567.002_dns-query-for-anonfiles-com-domain-sysmon.txt  [T1567.002]  DNS Query for Anonfiles.com Domain - Sysmon
  T1190_dns-query-to-external-service-interaction-domains.txt  [T1190,T1595.002]  DNS Query to External Service Interaction Domains
  T1574.001_dns-server-error-failed-loading-the-serverlevelplugindll.txt  [T1574.001]  DNS Server Error Failed Loading the ServerLevelPluginDLL
  T1071.004_dns-txt-answer-with-possible-execution-strings.txt  [T1071.004]  DNS TXT Answer with Possible Execution Strings
  T1552.004_dpapi-backup-keys-and-certificate-export-activity-ioc.txt  [T1552.004,T1555]  DPAPI Backup Keys And Certificate Export Activity IOC
  T1003.004_dpapi-domain-backup-key-extraction.txt  [T1003.004]  DPAPI Domain Backup Key Extraction
  dprk-threat-actor-c2-communication-dns-indicators.txt  []  DPRK Threat Actor - C2 Communication DNS Indicators
  T1059.001_dsinternals-suspicious-powershell-cmdlets.txt  [T1059.001]  DSInternals Suspicious PowerShell Cmdlets
  T1059.001_dsinternals-suspicious-powershell-cmdlets-scriptblock.txt  [T1059.001]  DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
  T1059_darkgate-autoit3-exe-execution-parameters.txt  [T1059]  DarkGate - Autoit3.EXE Execution Parameters
  T1136.001_darkgate-user-created-via-net-exe.txt  [T1136.001]  DarkGate - User Created Via Net.EXE
  default-cobalt-strike-certificate.txt  []  Default Cobalt Strike Certificate
  T1547.010_default-rdp-port-changed-to-non-standard-port.txt  [T1547.010]  Default RDP Port Changed to Non Standard Port
  T1528_delegated-permissions-granted-for-all-users.txt  [T1528]  Delegated Permissions Granted For All Users
  T1489_delete-all-scheduled-tasks.txt  [T1489]  Delete All Scheduled Tasks
  T1489_delete-important-scheduled-task.txt  [T1489]  Delete Important Scheduled Task
  T1490_delete-volume-shadow-copies-via-wmi-with-powershell.txt  [T1490]  Delete Volume Shadow Copies Via WMI With PowerShell
  T1490_deletion-of-volume-shadow-copies-via-wmi-with-powershell.txt  [T1490]  Deletion of Volume Shadow Copies via WMI with PowerShell
  T1490_deletion-of-volume-shadow-copies-via-wmi-with-powershell-ps.txt  [T1490]  Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
  T1543.003_deny-service-access-using-security-descriptor-tampering-via.txt  [T1543.003]  Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
  T1543.003_devcon-execution-disabling-vmware-vmci-device.txt  [T1543.003,T1685]  Devcon Execution Disabling VMware VMCI Device
  devil-bait-potential-c2-communication-traffic.txt  []  Devil Bait Potential C2 Communication Traffic
  T1218_devtoolslauncher-exe-executes-specified-binary.txt  [T1218]  Devtoolslauncher.exe Executes Specified Binary
  T1203_dfsvc-exe-initiated-network-connection-over-uncommon-port.txt  [T1203]  Dfsvc.EXE Initiated Network Connection Over Uncommon Port
  T1202_diagnostic-library-sdiageng-dll-loaded-by-msdt-exe.txt  [T1202]  Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  T1574.001_diamond-sleet-apt-dll-sideloading-indicators.txt  [T1574.001]  Diamond Sleet APT DLL Sideloading Indicators
  diamond-sleet-apt-dns-communication-indicators.txt  []  Diamond Sleet APT DNS Communication Indicators
  diamond-sleet-apt-file-creation-indicators.txt  []  Diamond Sleet APT File Creation Indicators
  diamond-sleet-apt-process-activity-indicators.txt  []  Diamond Sleet APT Process Activity Indicators
  T1685_diamond-sleet-apt-scheduled-task-creation-registry.txt  [T1685]  Diamond Sleet APT Scheduled Task Creation - Registry
  T1556_directory-service-restore-mode-dsrm-registry-value-tampering.txt  [T1556]  Directory Service Restore Mode(DSRM) Registry Value Tampering
  T1489_disable-important-scheduled-task.txt  [T1489]  Disable Important Scheduled Task
  disable-macro-runtime-scan-scope.txt  []  Disable Macro Runtime Scan Scope
  T1685_disable-pua-protection-on-windows-defender.txt  [T1685]  Disable PUA Protection on Windows Defender
  T1070.003_disable-powershell-command-history.txt  [T1070.003]  Disable Powershell Command History
  T1112_disable-security-events-logging-adding-reg-key-minint.txt  [T1112,T1685.001]  Disable Security Events Logging Adding Reg Key MiniNt
  T1686_disable-system-firewall.txt  [T1686]  Disable System Firewall
  T1685_disable-windows-defender-av-security-monitoring.txt  [T1685]  Disable Windows Defender AV Security Monitoring
  T1685_disable-windows-defender-functionalities-via-registry-keys.txt  [T1685]  Disable Windows Defender Functionalities Via Registry Keys
  T1685.001_disable-windows-iis-http-logging.txt  [T1685.001]  Disable Windows IIS HTTP Logging
  T1070_disable-of-etw-trace-powershell.txt  [T1070,T1685]  Disable of ETW Trace - Powershell
  T1685_disable-windowsoptionalfeature-command-powershell.txt  [T1685]  Disable-WindowsOptionalFeature Command PowerShell
  T1685_disabled-ie-security-features.txt  [T1685]  Disabled IE Security Features
  T1685_disabled-volume-snapshots.txt  [T1685]  Disabled Volume Snapshots
  T1685_disabled-windows-defender-eventlog.txt  [T1685]  Disabled Windows Defender Eventlog
  T1556.006_disabling-multi-factor-authentication.txt  [T1556.006]  Disabling Multi Factor Authentication
  T1685_disabling-windows-defender-wmi-autologger-session-via-reg-ex.txt  [T1685]  Disabling Windows Defender WMI Autologger Session via Reg.exe
  T1087.004_discovery-using-azurehound.txt  [T1087.004,T1526]  Discovery Using AzureHound
  T1055_dotnet-clr-dll-loaded-by-scripting-applications.txt  [T1055]  DotNet CLR DLL Loaded By Scripting Applications
  driver-added-to-disallowed-images-in-hvci-registry.txt  []  Driver Added To Disallowed Images In HVCI - Registry
  T1543.003_driver-load-from-a-temporary-directory.txt  [T1543.003]  Driver Load From A Temporary Directory
  T1003.002_dumping-of-sensitive-hives-via-reg-exe.txt  [T1003.002,T1003.004,T1003.005]  Dumping of Sensitive Hives Via Reg.EXE
  T1059.012_esxi-admin-permission-assigned-to-account-via-esxcli.txt  [T1059.012,T1098]  ESXi Admin Permission Assigned To Account Via ESXCLI
  T1112_etw-logging-disabled-in-net-processes-registry.txt  [T1112,T1685]  ETW Logging Disabled In .NET Processes - Registry
  T1112_etw-logging-disabled-in-net-processes-sysmon-registry.txt  [T1112,T1685]  ETW Logging Disabled In .NET Processes - Sysmon Registry
  T1685_etw-logging-tamper-in-net-processes-via-commandline.txt  [T1685]  ETW Logging Tamper In .NET Processes Via CommandLine
  T1070_etw-trace-evasion-activity.txt  [T1070,T1685]  ETW Trace Evasion Activity
  email-exifiltration-via-powershell.txt  []  Email Exifiltration Via Powershell
  T1059.006_emotet-loader-execution-via-lnk-file.txt  [T1059.006]  Emotet Loader Execution Via .LNK File
  T1112_enable-lm-hash-storage.txt  [T1112]  Enable LM Hash Storage
  T1112_enable-lm-hash-storage-proccreation.txt  [T1112]  Enable LM Hash Storage - ProcCreation
  T1098_enabled-user-right-in-ad-to-control-user-objects.txt  [T1098]  Enabled User Right in AD to Control User Objects
  T1041_equation-group-c2-communication.txt  [T1041]  Equation Group C2 Communication
  T1059.004_equation-group-indicators.txt  [T1059.004]  Equation Group Indicators
  T1003.002_esentutl-volume-shadow-copy-service-keys.txt  [T1003.002]  Esentutl Volume Shadow Copy Service Keys
  T1190_exchange-exploitation-used-by-hafnium.txt  [T1190]  Exchange Exploitation Used by HAFNIUM
  T1070_exchange-powershell-cmdlet-history-deleted.txt  [T1070]  Exchange PowerShell Cmdlet History Deleted
  T1059.001_exchange-powershell-snap-ins-usage.txt  [T1059.001,T1114]  Exchange PowerShell Snap-Ins Usage
  T1190_exchange-proxyshell-pattern.txt  [T1190]  Exchange ProxyShell Pattern
  T1505.003_exchange-set-oabvirtualdirectory-externalurl-property.txt  [T1505.003]  Exchange Set OabVirtualDirectory ExternalUrl Property
  T1218_execute-pcwrun-exe-to-leverage-follina.txt  [T1218]  Execute Pcwrun.EXE To Leverage Follina
  T1218_execution-dll-of-choice-using-wab-exe.txt  [T1218]  Execution DLL of Choice Using WAB.EXE
  T1059.001_execution-of-powershell-script-in-public-folder.txt  [T1059.001]  Execution of Powershell Script in Public Folder
  T1218_execution-via-workfolders-exe.txt  [T1218]  Execution via WorkFolders.exe
  T1218_execution-via-stordiag-exe.txt  [T1218]  Execution via stordiag.exe
  T1071.001_exploit-framework-user-agent.txt  [T1071.001]  Exploit Framework User Agent
  T1190_exploitation-activity-of-cve-2025-59287-wsus-deserialization.txt  [T1190,T1203]  Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
  T1190_exploitation-activity-of-cve-2025-59287-wsus-suspicious-chil.txt  [T1190,T1203]  Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
  T1210_exploitation-attempt-of-cve-2020-1472-execution-of-zerologon.txt  [T1210]  Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
  T1210_exploitation-attempt-of-cve-2023-46214-using-public-poc-code.txt  [T1210]  Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
  exploitation-indicator-of-cve-2022-42475.txt  []  Exploitation Indicator Of CVE-2022-42475
  exploitation-indicators-of-cve-2023-20198.txt  []  Exploitation Indicators Of CVE-2023-20198
  T1190_exploitation-of-cve-2021-26814-in-wazuh.txt  [T1190]  Exploitation of CVE-2021-26814 in Wazuh
  T1059.001_exploited-cve-2020-10189-zoho-manageengine.txt  [T1059.001,T1059.003,T1190]  Exploited CVE-2020-10189 Zoho ManageEngine
  T1059.003_exploiting-setupcomplete-cmd-cve-2019-1378.txt  [T1059.003,T1068,T1574]  Exploiting SetupComplete.cmd CVE-2019-1378
  T1548.002_explorer-nouaccheck-flag.txt  [T1548.002]  Explorer NOUACCHECK Flag
  T1012_exports-critical-registry-keys-to-a-file.txt  [T1012]  Exports Critical Registry Keys To a File
  T1564.004_exports-registry-key-to-an-alternate-data-stream.txt  [T1564.004]  Exports Registry Key To an Alternate Data Stream
  T1078_external-remote-smb-logon-from-public-ip.txt  [T1078,T1110,T1133]  External Remote SMB Logon from Public IP
  T1505.002_failed-msexchange-transport-agent-installation.txt  [T1505.002]  Failed MSExchange Transport Agent Installation
  T1059.001_fakeupdates-socgholish-activity.txt  [T1059.001]  FakeUpdates/SocGholish Activity
  T1574.001_fax-service-dll-search-order-hijack.txt  [T1574.001]  Fax Service DLL Search Order Hijack
  T1547.001_file-creation-in-suspicious-directory-by-msdt-exe.txt  [T1547.001]  File Creation In Suspicious Directory By Msdt.EXE
  file-creation-related-to-rat-clients.txt  []  File Creation Related To RAT Clients
  T1027_file-decoded-from-base64-hex-via-certutil-exe.txt  [T1027]  File Decoded From Base64/Hex Via Certutil.EXE
  T1105_file-download-and-execution-via-ieexec-exe.txt  [T1105]  File Download And Execution Via IEExec.EXE
  T1105_file-download-from-ip-based-url-via-certoc-exe.txt  [T1105]  File Download From IP Based URL Via CertOC.EXE
  T1105_file-download-using-notepad-gup-utility.txt  [T1105]  File Download Using Notepad++ GUP Utility
  T1036.003_file-download-via-bitsadmin-to-a-suspicious-target-folder.txt  [T1036.003,T1105,T1197]  File Download Via Bitsadmin To A Suspicious Target Folder
  T1105_file-download-via-windows-defender-mpcmprun-exe.txt  [T1105,T1218]  File Download Via Windows Defender MpCmpRun.EXE
  T1105_file-download-with-headless-browser.txt  [T1105,T1564.003]  File Download with Headless Browser
  file-encryption-decryption-via-gpg4win-from-suspicious-locat.txt  []  File Encryption/Decryption Via Gpg4win From Suspicious Locations
  T1135_file-explorer-folder-opened-using-explorer-folder-shortcut-v.txt  [T1135]  File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
  T1027_file-in-suspicious-location-encoded-to-base64-via-certutil-e.txt  [T1027]  File In Suspicious Location Encoded To Base64 Via Certutil.EXE
  T1036.003_file-with-suspicious-extension-downloaded-via-bitsadmin.txt  [T1036.003,T1105,T1197]  File With Suspicious Extension Downloaded Via Bitsadmin
  T1204.002_file-with-uncommon-extension-created-by-an-office-applicatio.txt  [T1204.002]  File With Uncommon Extension Created By An Office Application
  T1204.004_filefix-command-evidence-in-typedpaths.txt  [T1204.004]  FileFix - Command Evidence in TypedPaths
  T1552.006_findstr-gpp-passwords.txt  [T1552.006]  Findstr GPP Passwords
  T1105_finger-exe-execution.txt  [T1105]  Finger.EXE Execution
  T1218.011_fireball-archer-install.txt  [T1218.011]  Fireball Archer Install
  T1021.002_first-time-seen-remote-named-pipe.txt  [T1021.002]  First Time Seen Remote Named Pipe
  T1021.002_first-time-seen-remote-named-pipe-zeek.txt  [T1021.002]  First Time Seen Remote Named Pipe - Zeek
  T1036.005_flash-player-update-from-suspicious-location.txt  [T1036.005,T1189,T1204.002]  Flash Player Update from Suspicious Location
  T1685_folder-removed-from-exploit-guard-protectedfolders-list-regi.txt  [T1685]  Folder Removed From Exploit Guard ProtectedFolders List - Registry
  T1547.001_forest-blizzard-apt-custom-protocol-handler-creation.txt  [T1547.001]  Forest Blizzard APT - Custom Protocol Handler Creation
  T1547.001_forest-blizzard-apt-custom-protocol-handler-dll-registry-set.txt  [T1547.001]  Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
  T1685.001_forest-blizzard-apt-file-creation-activity.txt  [T1685.001]  Forest Blizzard APT - File Creation Activity
  forest-blizzard-apt-process-creation-activity.txt  []  Forest Blizzard APT - Process Creation Activity
  T1036_forfiles-exe-child-process-masquerading.txt  [T1036]  Forfiles.EXE Child Process Masquerading
  T1587.001_formbook-process-creation.txt  [T1587.001]  Formbook Process Creation
  T1070_fsutil-suspicious-invocation.txt  [T1070,T1485]  Fsutil Suspicious Invocation
  T1486_funklocker-ransomware-file-creation.txt  [T1486]  FunkLocker Ransomware File Creation
  T1204.002_gac-dll-loaded-via-office-applications.txt  [T1204.002]  GAC DLL Loaded Via Office Applications
  T1071_gallium-artefacts-builtin.txt  [T1071]  GALLIUM Artefacts - Builtin
  T1071_gallium-iocs.txt  [T1071,T1212]  GALLIUM IOCs
  T1556_github-high-risk-configuration-disabled.txt  [T1556]  Github High Risk Configuration Disabled
  T1685_github-push-protection-disabled.txt  [T1685]  Github Push Protection Disabled
  T1685_github-secret-scanning-feature-disabled.txt  [T1685]  Github Secret Scanning Feature Disabled
  goofy-guineapig-backdoor-ioc.txt  []  Goofy Guineapig Backdoor IOC
  goofy-guineapig-backdoor-potential-c2-communication.txt  []  Goofy Guineapig Backdoor Potential C2 Communication
  T1046_grixba-malware-reconnaissance-activity.txt  [T1046,T1595.001]  Grixba Malware Reconnaissance Activity
  T1212_guacamole-two-users-sharing-session-anomaly.txt  [T1212]  Guacamole Two Users Sharing Session Anomaly
  T1068_hktl-sharpsuccessor-privilege-escalation-tool-execution.txt  [T1068]  HKTL - SharpSuccessor Privilege Escalation Tool Execution
  T1047_html-help-hh-exe-suspicious-child-process.txt  [T1047,T1059.001,T1059.003,T1059.005,T1059.007,T1218,T1218.001,T1218.010,T1218.011,T1566,T1566.001]  HTML Help HH.EXE Suspicious Child Process
  T1505.004_http-logging-disabled-on-iis-server.txt  [T1505.004,T1685.001]  HTTP Logging Disabled On IIS Server
  T1110_hack-tool-user-agent.txt  [T1110,T1190]  Hack Tool User Agent
  T1557.001_hacktool-adcspwn-execution.txt  [T1557.001]  HackTool - ADCSPwn Execution
  T1059.001_hacktool-bloodhound-sharphound-execution.txt  [T1059.001,T1069.001,T1069.002,T1087.001,T1087.002,T1482]  HackTool - Bloodhound/Sharphound Execution
  T1649_hacktool-certify-execution.txt  [T1649]  HackTool - Certify Execution
  T1649_hacktool-certipy-execution.txt  [T1649]  HackTool - Certipy Execution
  T1106_hacktool-cobaltstrike-bof-injection-pattern.txt  [T1106,T1685]  HackTool - CobaltStrike BOF Injection Pattern
  T1071.001_hacktool-cobaltstrike-malleable-profile-patterns-proxy.txt  [T1071.001]  HackTool - CobaltStrike Malleable Profile Patterns - Proxy
  T1055_hacktool-coercedpotato-execution.txt  [T1055]  HackTool - CoercedPotato Execution
  T1055_hacktool-coercedpotato-named-pipe-creation.txt  [T1055]  HackTool - CoercedPotato Named Pipe Creation
  T1059.001_hacktool-covenant-powershell-launcher.txt  [T1059.001,T1564.003]  HackTool - Covenant PowerShell Launcher
  T1047_hacktool-crackmapexec-execution.txt  [T1047,T1053,T1059.001,T1059.003,T1110,T1201]  HackTool - CrackMapExec Execution
  T1047_hacktool-crackmapexec-execution-patterns.txt  [T1047,T1053,T1059.001,T1059.003]  HackTool - CrackMapExec Execution Patterns
  T1003.001_hacktool-crackmapexec-file-indicators.txt  [T1003.001]  HackTool - CrackMapExec File Indicators
  T1027.005_hacktool-crackmapexec-powershell-obfuscation.txt  [T1027.005,T1059.001]  HackTool - CrackMapExec PowerShell Obfuscation
  T1003.001_hacktool-crackmapexec-process-patterns.txt  [T1003.001]  HackTool - CrackMapExec Process Patterns
  T1003.001_hacktool-createminidump-execution.txt  [T1003.001]  HackTool - CreateMiniDump Execution
  T1053.005_hacktool-default-powersploit-empire-scheduled-task-creation.txt  [T1053.005,T1059.001]  HackTool - Default PowerSploit/Empire Scheduled Task Creation
  T1003.001_hacktool-doppelanger-lsass-dumper-execution.txt  [T1003.001]  HackTool - Doppelanger LSASS Dumper Execution
  T1685_hacktool-edrsilencer-execution.txt  [T1685]  HackTool - EDRSilencer Execution
  T1685_hacktool-edrsilencer-execution-filter-added.txt  [T1685]  HackTool - EDRSilencer Execution - Filter Added
  T1055_hacktool-efspotato-named-pipe-creation.txt  [T1055]  HackTool - EfsPotato Named Pipe Creation
  T1059.001_hacktool-empire-powershell-launch-parameters.txt  [T1059.001]  HackTool - Empire PowerShell Launch Parameters
  T1071.001_hacktool-empire-useragent-uri-combo.txt  [T1071.001]  HackTool - Empire UserAgent URI Combo
  hacktool-evil-winrm-execution-powershell-module.txt  []  HackTool - Evil-WinRm Execution - PowerShell Module
  hacktool-gmer-rootkit-detector-and-remover-execution.txt  []  HackTool - GMER Rootkit Detector and Remover Execution
  T1003.001_hacktool-generic-process-access.txt  [T1003.001]  HackTool - Generic Process Access
  T1003.001_hacktool-handlekatz-duplicating-lsass-handle.txt  [T1003.001,T1106]  HackTool - HandleKatz Duplicating LSASS Handle
  T1003.001_hacktool-handlekatz-lsass-dumper-execution.txt  [T1003.001]  HackTool - HandleKatz LSASS Dumper Execution
  T1110.002_hacktool-hashcat-password-cracker-execution.txt  [T1110.002]  HackTool - Hashcat Password Cracker Execution
  T1055.012_hacktool-hollowreaper-execution.txt  [T1055.012]  HackTool - HollowReaper Execution
  T1090_hacktool-htran-natbypass-execution.txt  [T1090]  HackTool - Htran/NATBypass Execution
  T1110_hacktool-hydra-password-bruteforce-execution.txt  [T1110,T1110.001]  HackTool - Hydra Password Bruteforce Execution
  T1003.001_hacktool-impacket-file-indicators.txt  [T1003.001]  HackTool - Impacket File Indicators
  T1557.001_hacktool-impacket-tools-execution.txt  [T1557.001]  HackTool - Impacket Tools Execution
  T1059.003_hacktool-koadic-execution.txt  [T1059.003,T1059.005,T1059.007]  HackTool - Koadic Execution
  T1558.003_hacktool-krbrelay-execution.txt  [T1558.003]  HackTool - KrbRelay Execution
  T1550.003_hacktool-krbrelayup-execution.txt  [T1550.003,T1558.003]  HackTool - KrbRelayUp Execution
  T1055.003_hacktool-littlecorporal-generated-maldoc-injection.txt  [T1055.003,T1204.002]  HackTool - LittleCorporal Generated Maldoc Injection
  hacktool-localpotato-execution.txt  []  HackTool - LocalPotato Execution
  T1003.001_hacktool-mimikatz-execution.txt  [T1003.001,T1003.002,T1003.004,T1003.005,T1003.006]  HackTool - Mimikatz Execution
  hacktool-nppspy-hacktool-usage.txt  []  HackTool - NPPSpy Hacktool Usage
  T1018_hacktool-netexec-execution.txt  [T1018,T1021]  HackTool - NetExec Execution
  T1021.002_hacktool-netexec-file-indicators.txt  [T1021.002,T1059.005]  HackTool - NetExec File Indicators
  T1134_hacktool-nofilter-execution.txt  [T1134,T1134.001]  HackTool - NoFilter Execution
  T1007_hacktool-pchunter-execution.txt  [T1007,T1012,T1057,T1082,T1083]  HackTool - PCHunter Execution
  T1134.004_hacktool-ppid-spoofing-selectmyparent-tool-execution.txt  [T1134.004]  HackTool - PPID Spoofing SelectMyParent Tool Execution
  T1055.001_hacktool-potential-cobaltstrike-process-injection.txt  [T1055.001]  HackTool - Potential CobaltStrike Process Injection
  T1021.003_hacktool-potential-impacket-lateral-movement-activity.txt  [T1021.003,T1047]  HackTool - Potential Impacket Lateral Movement Activity
  T1003_hacktool-potential-remote-credential-dumping-activity-via-cr.txt  [T1003]  HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
  T1685_hacktool-powertool-execution.txt  [T1685]  HackTool - PowerTool Execution
  T1574.001_hacktool-powerup-write-hijack-dll.txt  [T1574.001]  HackTool - Powerup Write Hijack DLL
  T1003.002_hacktool-pypykatz-credentials-dumping-activity.txt  [T1003.002]  HackTool - Pypykatz Credentials Dumping Activity
  T1003.002_hacktool-quarks-pwdump-execution.txt  [T1003.002]  HackTool - Quarks PwDump Execution
  T1059.003_hacktool-redmimicry-winnti-playbook-execution.txt  [T1059.003,T1106,T1218.011]  HackTool - RedMimicry Winnti Playbook Execution
  T1558.003_hacktool-remotekrbrelay-execution.txt  [T1558.003]  HackTool - RemoteKrbRelay Execution
  T1219.002_hacktool-remotekrbrelay-smb-relay-secrets-dump-module-indica.txt  [T1219.002]  HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
  T1003_hacktool-rubeus-execution-scriptblock.txt  [T1003,T1550.003,T1558.003]  HackTool - Rubeus Execution - ScriptBlock
  T1071_hacktool-silenttrinity-stager-dll-load.txt  [T1071]  HackTool - SILENTTRINITY Stager DLL Load
  T1071_hacktool-silenttrinity-stager-execution.txt  [T1071]  HackTool - SILENTTRINITY Stager Execution
  T1087_hacktool-soaphound-execution.txt  [T1087]  HackTool - SOAPHound Execution
  T1003.001_hacktool-safetykatz-dump-indicator.txt  [T1003.001]  HackTool - SafetyKatz Dump Indicator
  T1053_hacktool-sharpersist-execution.txt  [T1053]  HackTool - SharPersist Execution
  T1090.001_hacktool-sharpchisel-execution.txt  [T1090.001]  HackTool - SharpChisel Execution
  T1134.001_hacktool-sharpdpapi-execution.txt  [T1134.001,T1134.003]  HackTool - SharpDPAPI Execution
  T1685.001_hacktool-sharpevtmute-dll-load.txt  [T1685.001]  HackTool - SharpEvtMute DLL Load
  T1685.001_hacktool-sharpevtmute-execution.txt  [T1685.001]  HackTool - SharpEvtMute Execution
  T1134.001_hacktool-sharpimpersonation-execution.txt  [T1134.001,T1134.003]  HackTool - SharpImpersonation Execution
  T1033_hacktool-sharpldapwhoami-execution.txt  [T1033]  HackTool - SharpLdapWhoami Execution
  T1021.002_hacktool-sharpmove-tool-execution.txt  [T1021.002]  HackTool - SharpMove Tool Execution
  T1033_hacktool-sharpview-execution.txt  [T1033,T1049,T1069.002,T1135,T1482]  HackTool - SharpView Execution
  T1210_hacktool-sharpwsus-wsuspendu-execution.txt  [T1210]  HackTool - SharpWSUS/WSUSpendu Execution
  T1059_hacktool-stracciatella-execution.txt  [T1059,T1685]  HackTool - Stracciatella Execution
  T1685.001_hacktool-sysmonente-execution.txt  [T1685.001]  HackTool - SysmonEnte Execution
  T1482_hacktool-trufflesnout-execution.txt  [T1482]  HackTool - TruffleSnout Execution
  T1552.001_hacktool-typical-hivenightmare-sam-file-export.txt  [T1552.001]  HackTool - Typical HiveNightmare SAM File Export
  T1548.002_hacktool-uacme-akagi-execution.txt  [T1548.002]  HackTool - UACMe Akagi Execution
  T1003.001_hacktool-wsass-execution.txt  [T1003.001]  HackTool - WSASS Execution
  T1046_hacktool-winpwn-execution.txt  [T1046,T1082,T1106,T1518,T1548.002,T1552.001,T1555,T1555.003]  HackTool - WinPwn Execution
  T1046_hacktool-winpwn-execution-scriptblock.txt  [T1046,T1082,T1106,T1518,T1548.002,T1552.001,T1555,T1555.003]  HackTool - WinPwn Execution - ScriptBlock
  hacktool-wmiexec-default-powershell-command.txt  []  HackTool - Wmiexec Default Powershell Command
  T1003.001_hacktool-xordump-execution.txt  [T1003.001,T1036]  HackTool - XORDump Execution
  T1046_hacktool-winpeas-execution.txt  [T1046,T1082,T1087]  HackTool - winPEAS Execution
  T1564.004_hacktool-named-file-stream-created.txt  [T1564.004]  HackTool Named File Stream Created
  T1569.002_hacktool-service-registration-or-execution.txt  [T1569.002]  HackTool Service Registration or Execution
  T1685_hacktool-edr-freeze-execution.txt  [T1685]  Hacktool - EDR-Freeze Execution
  T1003_hacktool-execution-pe-metadata.txt  [T1003,T1588.002]  Hacktool Execution - PE Metadata
  T1059_hacktool-ruler.txt  [T1059,T1087,T1114,T1550.002]  Hacktool Ruler
  T1021.001_hermetic-wiper-tg-process-patterns.txt  [T1021.001]  Hermetic Wiper TG Process Patterns
  T1136.001_hidden-local-user-creation.txt  [T1136.001]  Hidden Local User Creation
  T1685_hide-schedule-task-via-index-value-tamper.txt  [T1685]  Hide Schedule Task Via Index Value Tamper
  T1564.002_hiding-user-account-via-specialaccounts-registry-key.txt  [T1564.002]  Hiding User Account Via SpecialAccounts Registry Key
  T1219.002_hijack-legit-rdp-session-to-move-laterally.txt  [T1219.002]  Hijack Legit RDP Session to Move Laterally
  T1565.001_history-file-deletion.txt  [T1565.001]  History File Deletion
  T1554_hybridconnectionmanager-service-installation.txt  [T1554]  HybridConnectionManager Service Installation
  T1608_hybridconnectionmanager-service-installation-registry.txt  [T1608]  HybridConnectionManager Service Installation - Registry
  T1554_hybridconnectionmanager-service-running.txt  [T1554]  HybridConnectionManager Service Running
  T1685_hypervisor-enforced-paging-translation-disabled.txt  [T1685]  Hypervisor Enforced Paging Translation Disabled
  T1685_hypervisor-protected-code-integrity-hvci-related-registry-ta.txt  [T1685]  Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
  ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-pr.txt  []  IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
  ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-pr_2.txt  []  IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
  T1566.001_iso-file-created-within-temp-folders.txt  [T1566.001]  ISO File Created Within Temp Folders
  T1218.011_icedid-malware-suspicious-single-digit-dll-execution-via-run.txt  [T1218.011]  IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
  imagingdevices-unusual-parent-child-processes.txt  []  ImagingDevices Unusual Parent/Child Processes
  T1021.002_impacket-psexec-execution.txt  [T1021.002]  Impacket PsExec Execution
  T1489_important-scheduled-task-deleted-or-disabled.txt  [T1489]  Important Scheduled Task Deleted or Disabled
  T1053.005_important-scheduled-task-deleted-disabled.txt  [T1053.005]  Important Scheduled Task Deleted/Disabled
  T1685.001_important-windows-event-auditing-disabled.txt  [T1685.001]  Important Windows Event Auditing Disabled
  T1685.005_important-windows-eventlog-cleared.txt  [T1685.005]  Important Windows Eventlog Cleared
  important-windows-service-terminated-unexpectedly.txt  []  Important Windows Service Terminated Unexpectedly
  important-windows-service-terminated-with-error.txt  []  Important Windows Service Terminated With Error
  T1112_imports-registry-key-from-an-ads.txt  [T1112]  Imports Registry Key From an ADS
  T1078_impossible-travel.txt  [T1078]  Impossible Travel
  T1055_injected-browser-process-spawning-rundll32-guloader-activity.txt  [T1055]  Injected Browser Process Spawning Rundll32 - GuLoader Activity
  T1059_inline-python-execution-spawn-shell-via-os-system-library.txt  [T1059]  Inline Python Execution - Spawn Shell Via OS System Library
  T1059_installation-of-wsl-kali-linux.txt  [T1059]  Installation of WSL Kali-Linux
  T1053.002_interactive-at-job.txt  [T1053.002]  Interactive AT Job
  T1078_invalid-pim-license.txt  [T1078]  Invalid PIM License
  T1027_invoke-obfuscation-clip-launcher.txt  [T1027,T1059.001]  Invoke-Obfuscation CLIP+ Launcher
  T1027_invoke-obfuscation-clip-launcher-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation CLIP+ Launcher - PowerShell
  T1027_invoke-obfuscation-clip-launcher-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
  T1027_invoke-obfuscation-clip-launcher-security.txt  [T1027,T1059.001]  Invoke-Obfuscation CLIP+ Launcher - Security
  T1027_invoke-obfuscation-clip-launcher-system.txt  [T1027,T1059.001]  Invoke-Obfuscation CLIP+ Launcher - System
  T1027_invoke-obfuscation-obfuscated-iex-invocation.txt  [T1027,T1059.001]  Invoke-Obfuscation Obfuscated IEX Invocation
  T1027_invoke-obfuscation-obfuscated-iex-invocation-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
  T1027_invoke-obfuscation-obfuscated-iex-invocation-powershell-modu.txt  [T1027,T1059.001]  Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
  T1027_invoke-obfuscation-obfuscated-iex-invocation-security.txt  [T1027]  Invoke-Obfuscation Obfuscated IEX Invocation - Security
  T1027_invoke-obfuscation-obfuscated-iex-invocation-system.txt  [T1027]  Invoke-Obfuscation Obfuscated IEX Invocation - System
  T1027_invoke-obfuscation-stdin-launcher.txt  [T1027,T1059.001]  Invoke-Obfuscation STDIN+ Launcher
  T1027_invoke-obfuscation-stdin-launcher-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
  T1027_invoke-obfuscation-stdin-launcher-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation STDIN+ Launcher - Powershell
  T1027_invoke-obfuscation-stdin-launcher-security.txt  [T1027,T1059.001]  Invoke-Obfuscation STDIN+ Launcher - Security
  T1027_invoke-obfuscation-stdin-launcher-system.txt  [T1027,T1059.001]  Invoke-Obfuscation STDIN+ Launcher - System
  T1027_invoke-obfuscation-var-launcher.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR+ Launcher
  T1027_invoke-obfuscation-var-launcher-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR+ Launcher - PowerShell
  T1027_invoke-obfuscation-var-launcher-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR+ Launcher - PowerShell Module
  T1027_invoke-obfuscation-var-launcher-security.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR+ Launcher - Security
  T1027_invoke-obfuscation-var-launcher-system.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR+ Launcher - System
  T1027_invoke-obfuscation-var-launcher-obfuscation.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  T1027_invoke-obfuscation-var-launcher-obfuscation-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
  T1027_invoke-obfuscation-var-launcher-obfuscation-powershell-modul.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
  T1027_invoke-obfuscation-var-launcher-obfuscation-security.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
  T1027_invoke-obfuscation-var-launcher-obfuscation-system.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
  T1027_invoke-obfuscation-via-stdin.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Stdin
  T1027_invoke-obfuscation-via-stdin-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Stdin - PowerShell Module
  T1027_invoke-obfuscation-via-stdin-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Stdin - Powershell
  T1027_invoke-obfuscation-via-stdin-security.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Stdin - Security
  T1027_invoke-obfuscation-via-stdin-system.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Stdin - System
  T1027_invoke-obfuscation-via-use-clip.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Clip
  T1027_invoke-obfuscation-via-use-clip-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Clip - PowerShell Module
  T1027_invoke-obfuscation-via-use-clip-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Clip - Powershell
  T1027_invoke-obfuscation-via-use-clip-security.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Clip - Security
  T1027_invoke-obfuscation-via-use-clip-system.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Clip - System
  T1027_invoke-obfuscation-via-use-mshta.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use MSHTA
  T1027_invoke-obfuscation-via-use-mshta-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use MSHTA - PowerShell
  T1027_invoke-obfuscation-via-use-mshta-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use MSHTA - PowerShell Module
  T1027_invoke-obfuscation-via-use-mshta-security.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use MSHTA - Security
  T1027_invoke-obfuscation-via-use-mshta-system.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use MSHTA - System
  T1027_invoke-obfuscation-via-use-rundll32-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Rundll32 - PowerShell
  T1027_invoke-obfuscation-via-use-rundll32-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
  T1027_invoke-obfuscation-via-use-rundll32-security.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Rundll32 - Security
  T1027_invoke-obfuscation-via-use-rundll32-system.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Rundll32 - System
  T1190_jndiexploit-pattern.txt  [T1190]  JNDIExploit Pattern
  T1059.002_jxa-in-memory-execution-via-osascript.txt  [T1059.002,T1059.007]  JXA In-memory Execution Via OSAScript
  T1190_java-payload-strings.txt  [T1190]  Java Payload Strings
  T1059.004_jexboss-command-sequence.txt  [T1059.004]  JexBoss Command Sequence
  T1059.001_kalambur-backdoor-curl-tor-socks-proxy-execution.txt  [T1059.001,T1071.001,T1090,T1573]  Kalambur Backdoor Curl TOR SOCKS Proxy Execution
  T1547.001_kapeka-backdoor-autorun-persistence.txt  [T1547.001]  Kapeka Backdoor Autorun Persistence
  T1218.011_kapeka-backdoor-execution-via-rundll32-exe.txt  [T1218.011]  Kapeka Backdoor Execution Via RunDLL32.EXE
  T1204.002_kapeka-backdoor-loaded-via-rundll32-exe.txt  [T1204.002,T1218.011]  Kapeka Backdoor Loaded Via Rundll32.EXE
  T1053.005_kapeka-backdoor-persistence-activity.txt  [T1053.005]  Kapeka Backdoor Persistence Activity
  T1053.005_kapeka-backdoor-scheduled-task-creation.txt  [T1053.005]  Kapeka Backdoor Scheduled Task Creation
  T1685_kaspersky-endpoint-security-stopped-via-commandline-linux.txt  [T1685]  Kaspersky Endpoint Security Stopped Via CommandLine - Linux
  T1129_katz-stealer-dll-loaded.txt  [T1129]  Katz Stealer DLL Loaded
  T1071.001_katz-stealer-suspicious-user-agent.txt  [T1071.001]  Katz Stealer Suspicious User-Agent
  T1127_kavremover-dropped-binary-lolbin-usage.txt  [T1127]  Kavremover Dropped Binary LOLBIN Usage
  T1212_kerberos-manipulation.txt  [T1212]  Kerberos Manipulation
  kernel-memory-dump-via-livekd.txt  []  Kernel Memory Dump Via LiveKD
  T1543_krbrelayup-service-installation.txt  [T1543]  KrbRelayUp Service Installation
  T1036.003_lol-binary-copied-from-system-directory.txt  [T1036.003]  LOL-Binary Copied From System Directory
  T1190_lpe-installerfiletakeover-poc-cve-2021-41379.txt  [T1190]  LPE InstallerFileTakeOver PoC CVE-2021-41379
  T1003.001_lsass-access-detected-via-attack-surface-reduction.txt  [T1003.001]  LSASS Access Detected via Attack Surface Reduction
  T1003.001_lsass-access-from-potentially-white-listed-processes.txt  [T1003.001]  LSASS Access From Potentially White-Listed Processes
  T1499_lsass-crash-via-netlogon-stack-buffer-overflow-cve-2026-4108.txt  [T1499]  LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
  T1003.001_lsass-dump-keyword-in-commandline.txt  [T1003.001]  LSASS Dump Keyword In CommandLine
  T1003.001_lsass-memory-access-by-tool-with-dump-keyword-in-name.txt  [T1003.001]  LSASS Memory Access by Tool With Dump Keyword In Name
  T1003.001_lsass-process-crashed-application.txt  [T1003.001]  LSASS Process Crashed - Application
  T1003.001_lsass-process-dump-artefact-in-crashdumps-folder.txt  [T1003.001]  LSASS Process Dump Artefact In CrashDumps Folder
  T1003.001_lsass-process-memory-dump-creation-via-taskmgr-exe.txt  [T1003.001]  LSASS Process Memory Dump Creation Via Taskmgr.EXE
  T1003.001_lsass-process-memory-dump-files.txt  [T1003.001]  LSASS Process Memory Dump Files
  T1552.006_lsass-process-reconnaissance-via-findstr-exe.txt  [T1552.006]  LSASS Process Reconnaissance Via Findstr.EXE
  lace-tempest-cobalt-strike-download.txt  []  Lace Tempest Cobalt Strike Download
  lace-tempest-file-indicators.txt  []  Lace Tempest File Indicators
  lace-tempest-malware-loader-execution.txt  []  Lace Tempest Malware Loader Execution
  T1059.001_lace-tempest-powershell-evidence-eraser.txt  [T1059.001]  Lace Tempest PowerShell Evidence Eraser
  T1059.001_lace-tempest-powershell-launcher.txt  [T1059.001]  Lace Tempest PowerShell Launcher
  T1574.001_lazarus-apt-dll-sideloading-activity.txt  [T1574.001]  Lazarus APT DLL Sideloading Activity
  T1036.005_lazarus-system-binary-masquerading.txt  [T1036.005]  Lazarus System Binary Masquerading
  T1218_legitimate-application-dropped-archive.txt  [T1218]  Legitimate Application Dropped Archive
  T1218_legitimate-application-dropped-executable.txt  [T1218]  Legitimate Application Dropped Executable
  T1218_legitimate-application-dropped-script.txt  [T1218]  Legitimate Application Dropped Script
  T1105_legitimate-application-writing-files-in-uncommon-location.txt  [T1105,T1218]  Legitimate Application Writing Files In Uncommon Location
  T1070.003_linux-command-history-tampering.txt  [T1070.003]  Linux Command History Tampering
  T1496_linux-crypto-mining-indicators.txt  [T1496]  Linux Crypto Mining Indicators
  T1496_linux-crypto-mining-pool-connections.txt  [T1496]  Linux Crypto Mining Pool Connections
  T1587_linux-hacktool-execution.txt  [T1587]  Linux HackTool Execution
  T1003_linux-keylogging-with-pam-d.txt  [T1003,T1056.001]  Linux Keylogging with Pam.d
  T1552.001_linux-recon-indicators.txt  [T1552.001,T1592.004]  Linux Recon Indicators
  T1059_linux-suspicious-child-process-from-node-js-react2shell.txt  [T1059,T1190]  Linux Suspicious Child Process from Node.js - React2Shell
  T1505.003_linux-webshell-indicators.txt  [T1505.003]  Linux Webshell Indicators
  T1195.002_litellm-teampcp-supply-chain-attack-indicators.txt  [T1195.002,T1543.002,T1560.001]  LiteLLM / TeamPCP Supply Chain Attack Indicators
  T1003_live-memory-dump-using-powershell.txt  [T1003]  Live Memory Dump Using Powershell
  livekd-driver-creation-by-uncommon-process.txt  []  LiveKD Driver Creation By Uncommon Process
  livekd-kernel-memory-dump-file-created.txt  []  LiveKD Kernel Memory Dump File Created
  T1486_load-of-rstrtmgr-dll-by-a-suspicious-process.txt  [T1486,T1685]  Load Of RstrtMgr.DLL By A Suspicious Process
  loading-diagcab-package-from-remote-path.txt  []  Loading Diagcab Package From Remote Path
  T1547.006_loading-of-kernel-module-via-insmod.txt  [T1547.006]  Loading of Kernel Module via Insmod
  T1557.001_local-privilege-escalation-indicator-tabtip.txt  [T1557.001]  Local Privilege Escalation Indicator TabTip
  T1190_log4j-rce-cve-2021-44228-generic.txt  [T1190]  Log4j RCE CVE-2021-44228 Generic
  T1190_log4j-rce-cve-2021-44228-in-fields.txt  [T1190]  Log4j RCE CVE-2021-44228 in Fields
  T1685_logging-configuration-changes-on-linux-host.txt  [T1685]  Logging Configuration Changes on Linux Host
  T1105_lolbas-onedrivestandaloneupdater-exe-proxy-download.txt  [T1105]  Lolbas OneDriveStandaloneUpdater.exe Proxy Download
  T1003.001_lsass-full-dump-request-via-dumptype-registry-settings.txt  [T1003.001]  Lsass Full Dump Request Via DumpType Registry Settings
  T1003.001_lsass-memory-dump-via-comsvcs-dll.txt  [T1003.001]  Lsass Memory Dump via Comsvcs DLL
  T1055_lummac-stealer-activity-execution-of-more-com-and-vbc-exe.txt  [T1055]  Lummac Stealer Activity - Execution Of More.com And Vbc.exe
  T1059.001_mercury-apt-activity.txt  [T1059.001]  MERCURY APT Activity
  T1036.002_mmc-executing-files-with-reversed-extensions-using-rtlo-abus.txt  [T1036.002,T1204.002,T1218.014]  MMC Executing Files with Reversed Extensions Using RTLO Abuse
  T1021.003_mmc-spawning-windows-shell.txt  [T1021.003]  MMC Spawning Windows Shell
  T1021.003_mmc20-lateral-movement.txt  [T1021.003]  MMC20 Lateral Movement
  T1505.003_moveit-cve-2023-34362-exploitation-attempt-potential-web-she.txt  [T1505.003]  MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
  T1218_msdt-execution-via-answer-file.txt  [T1218]  MSDT Execution Via Answer File
  T1059.007_mshta-execution-with-suspicious-file-extensions.txt  [T1059.007,T1140,T1218.005]  MSHTA Execution with Suspicious File Extensions
  msmq-corrupted-packet-encountered.txt  []  MSMQ Corrupted Packet Encountered
  mssql-add-account-to-sysadmin-role.txt  []  MSSQL Add Account To Sysadmin Role
  mssql-disable-audit-settings.txt  []  MSSQL Disable Audit Settings
  T1546_mssql-extended-stored-procedure-backdoor-maggie.txt  [T1546]  MSSQL Extended Stored Procedure Backdoor Maggie
  mssql-spprocoption-set.txt  []  MSSQL SPProcoption Set
  mssql-xpcmdshell-option-change.txt  []  MSSQL XPCmdshell Option Change
  mssql-xpcmdshell-suspicious-execution.txt  []  MSSQL XPCmdshell Suspicious Execution
  T1112_macro-enabled-in-a-potentially-suspicious-document.txt  [T1112]  Macro Enabled In A Potentially Suspicious Document
  T1059.001_malicious-base64-encoded-powershell-keywords-in-command-line.txt  [T1059.001]  Malicious Base64 Encoded PowerShell Keywords in Command Lines
  T1574.001_malicious-dll-file-dropped-in-the-teams-or-onedrive-folder.txt  [T1574.001]  Malicious DLL File Dropped in the Teams or OneDrive Folder
  T1068_malicious-driver-load.txt  [T1068,T1543.003]  Malicious Driver Load
  T1090_malicious-ip-address-sign-in-failure-rate.txt  [T1090]  Malicious IP Address Sign-In Failure Rate
  T1090_malicious-ip-address-sign-in-suspicious.txt  [T1090]  Malicious IP Address Sign-In Suspicious
  T1059.001_malicious-nishang-powershell-commandlets.txt  [T1059.001]  Malicious Nishang PowerShell Commandlets
  T1059.001_malicious-powershell-commandlets-poshmodule.txt  [T1059.001,T1069,T1069.001,T1069.002,T1087,T1087.001,T1087.002,T1482]  Malicious PowerShell Commandlets - PoshModule
  T1059.001_malicious-powershell-commandlets-processcreation.txt  [T1059.001,T1069,T1069.001,T1069.002,T1087,T1087.001,T1087.002,T1482]  Malicious PowerShell Commandlets - ProcessCreation
  T1059.001_malicious-powershell-commandlets-scriptblock.txt  [T1059.001,T1069,T1069.001,T1069.002,T1087,T1087.001,T1087.002,T1482]  Malicious PowerShell Commandlets - ScriptBlock
  T1059.001_malicious-powershell-scripts-filecreation.txt  [T1059.001]  Malicious PowerShell Scripts - FileCreation
  T1059.001_malicious-powershell-scripts-poshmodule.txt  [T1059.001]  Malicious PowerShell Scripts - PoshModule
  T1059.001_malicious-shellintel-powershell-commandlets.txt  [T1059.001]  Malicious ShellIntel PowerShell Commandlets
  T1078_malicious-usage-of-imds-credentials-outside-of-aws-infrastru.txt  [T1078,T1078.002]  Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
  T1055_malware-shellcode-in-verclsid-target-process.txt  [T1055]  Malware Shellcode in Verclsid Target Process
  T1071.001_malware-user-agent.txt  [T1071.001]  Malware User Agent
  T1055.001_manageengine-endpoint-central-dctask64-exe-potential-abuse.txt  [T1055.001]  ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
  T1653_mask-system-power-settings-via-systemctl.txt  [T1653]  Mask System Power Settings Via Systemctl
  T1055.001_mavinject-inject-dll-into-running-process.txt  [T1055.001,T1218.013]  Mavinject Inject DLL Into Running Process
  T1021.002_metasploit-or-impacket-service-installation-via-smb-psexec.txt  [T1021.002,T1569.002,T1570]  Metasploit Or Impacket Service Installation Via SMB PsExec
  T1021.002_metasploit-smb-authentication.txt  [T1021.002]  Metasploit SMB Authentication
  T1134.001_meterpreter-or-cobalt-strike-getsystem-service-installation.txt  [T1134.001,T1134.002]  Meterpreter or Cobalt Strike Getsystem Service Installation - Security
  T1134.001_meterpreter-or-cobalt-strike-getsystem-service-installation_2.txt  [T1134.001,T1134.002]  Meterpreter or Cobalt Strike Getsystem Service Installation - System
  T1574.001_microsoft-defender-blocked-from-loading-unsigned-dll.txt  [T1574.001]  Microsoft Defender Blocked from Loading Unsigned DLL
  T1685_microsoft-defender-tamper-protection-trigger.txt  [T1685]  Microsoft Defender Tamper Protection Trigger
  T1003_microsoft-iis-connection-strings-decryption.txt  [T1003]  Microsoft IIS Connection Strings Decryption
  T1003_microsoft-iis-service-account-password-dumped.txt  [T1003]  Microsoft IIS Service Account Password Dumped
  T1211_microsoft-malware-protection-engine-crash.txt  [T1211,T1685]  Microsoft Malware Protection Engine Crash
  T1211_microsoft-malware-protection-engine-crash-wer.txt  [T1211,T1685]  Microsoft Malware Protection Engine Crash - WER
  T1574.001_microsoft-office-dll-sideload.txt  [T1574.001]  Microsoft Office DLL Sideload
  T1685_microsoft-office-protected-view-disabled.txt  [T1685]  Microsoft Office Protected View Disabled
  T1003.006_mimikatz-dc-sync.txt  [T1003.006]  Mimikatz DC Sync
  T1003.001_mimikatz-use.txt  [T1003.001,T1003.002,T1003.004,T1003.006]  Mimikatz Use
  mint-sandstorm-log4j-wstomcat-process-execution.txt  []  Mint Sandstorm - Log4J Wstomcat Process Execution
  T1574.006_modification-of-ld-so-preload.txt  [T1574.006]  Modification of ld.so.preload
  T1020_modification-or-deletion-of-an-aws-rds-cluster.txt  [T1020]  Modification or Deletion of an AWS RDS Cluster
  T1496_monero-crypto-coin-mining-pool-lookup.txt  [T1496,T1567]  Monero Crypto Coin Mining Pool Lookup
  T1218_mpiexec-lolbin.txt  [T1218]  MpiExec Lolbin
  mshtml-dll-runhtmlapplication-suspicious-usage.txt  []  Mshtml.DLL RunHTMLApplication Suspicious Usage
  mstsc-exe-execution-from-uncommon-parent.txt  []  Mstsc.EXE Execution From Uncommon Parent
  T1587.001_mustang-panda-dropper.txt  [T1587.001]  Mustang Panda Dropper
  T1112_net-ngenassemblyusagelog-registry-key-tamper.txt  [T1112]  NET NGenAssemblyUsageLog Registry Key Tamper
  T1003.003_ntds-exfiltration-filename-patterns.txt  [T1003.003]  NTDS Exfiltration Filename Patterns
  T1003.003_ntds-dit-creation-by-uncommon-parent-process.txt  [T1003.003]  NTDS.DIT Creation By Uncommon Parent Process
  T1003.002_ntds-dit-creation-by-uncommon-process.txt  [T1003.002,T1003.003]  NTDS.DIT Creation By Uncommon Process
  T1059.001_ntfs-alternate-data-stream.txt  [T1059.001,T1564.004]  NTFS Alternate Data Stream
  T1499.001_ntfs-vulnerability-exploitation.txt  [T1499.001]  NTFS Vulnerability Exploitation
  T1187_ntlm-hash-leak-via-curl-ntlm-authentication.txt  [T1187]  NTLM Hash Leak Via Curl NTLM Authentication
  T1547.001_narrator-s-feedback-hub-persistence.txt  [T1547.001]  Narrator's Feedback-Hub Persistence
  T1059.001_net-webclient-casing-anomalies.txt  [T1059.001]  Net WebClient Casing Anomalies
  T1112_netntlm-downgrade-attack.txt  [T1112,T1685]  NetNTLM Downgrade Attack
  T1112_netntlm-downgrade-attack-registry.txt  [T1112,T1685]  NetNTLM Downgrade Attack - Registry
  T1105_network-communication-initiated-to-file-sharing-domains-from.txt  [T1105]  Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
  T1496_network-communication-with-crypto-mining-pool.txt  [T1496]  Network Communication With Crypto Mining Pool
  T1218_network-connection-initiated-by-addinutil-exe.txt  [T1218]  Network Connection Initiated By AddinUtil.EXE
  T1203_network-connection-initiated-by-eqnedt32-exe.txt  [T1203]  Network Connection Initiated By Eqnedt32.EXE
  T1105_network-connection-initiated-by-imewdbld-exe.txt  [T1105]  Network Connection Initiated By IMEWDBLD.EXE
  T1105_network-connection-initiated-from-process-located-in-potenti.txt  [T1105]  Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
  T1055_network-connection-initiated-via-notepad-exe.txt  [T1055]  Network Connection Initiated Via Notepad.EXE
  T1059.003_network-connection-initiated-via-finger-exe.txt  [T1059.003,T1071.004]  Network Connection Initiated via Finger.EXE
  T1082_network-reconnaissance-activity.txt  [T1082,T1087]  Network Reconnaissance Activity
  T1546.003_new-activescripteventconsumer-created-via-wmic-exe.txt  [T1546.003]  New ActiveScriptEventConsumer Created Via Wmic.EXE
  T1078_new-country.txt  [T1078]  New Country
  T1112_new-dns-serverlevelplugindll-installed.txt  [T1112,T1574.001]  New DNS ServerLevelPluginDll Installed
  T1112_new-dns-serverlevelplugindll-installed-via-dnscmd-exe.txt  [T1112,T1574.001]  New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
  new-file-association-using-exefile.txt  []  New File Association Using Exefile
  T1686.003_new-firewall-rule-added-in-windows-firewall-exception-list-f.txt  [T1686.003]  New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
  T1546.007_new-netsh-helper-dll-registered-from-a-suspicious-location.txt  [T1546.007]  New Netsh Helper DLL Registered From A Suspicious Location
  T1547.001_new-run-key-pointing-to-suspicious-folder.txt  [T1547.001]  New RUN Key Pointing to Suspicious Folder
  T1547.003_new-timeproviders-registered-with-uncommon-dll-name.txt  [T1547.003]  New TimeProviders Registered With Uncommon DLL Name
  T1136.001_new-user-created-via-net-exe-with-never-expire-option.txt  [T1136.001]  New User Created Via Net.EXE With Never Expire Option
  T1499.004_nginx-core-dump.txt  [T1499.004]  Nginx Core Dump
  T1090_ngrok-usage-with-remote-desktop-service.txt  [T1090]  Ngrok Usage with Remote Desktop Service
  T1068_non-standard-nsswitch-conf-creation-potential-cve-2025-32463.txt  [T1068]  Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
  T1112_non-privileged-usage-of-reg-or-powershell.txt  [T1112]  Non-privileged Usage of Reg or Powershell
  ntdllpipe-like-activity-execution.txt  []  NtdllPipe Like Activity Execution
  T1021.006_omigod-http-no-authentication-rce-cve-2021-38647.txt  [T1021.006,T1068,T1190,T1203,T1210]  OMIGOD HTTP No Authentication RCE - CVE-2021-38647
  T1068_omigod-scx-runasprovider-executescript.txt  [T1068,T1190,T1203]  OMIGOD SCX RunAsProvider ExecuteScript
  T1068_omigod-scx-runasprovider-executeshellcommand.txt  [T1068,T1190,T1203]  OMIGOD SCX RunAsProvider ExecuteShellCommand
  T1059.002_osacompile-run-only-execution.txt  [T1059.002]  OSACompile Run-Only Execution
  T1027.010_obfuscated-powershell-msi-install-via-windowsinstaller-com.txt  [T1027.010,T1059.001,T1218.007]  Obfuscated PowerShell MSI Install via WindowsInstaller COM
  T1059.001_obfuscated-powershell-oneliner-execution.txt  [T1059.001,T1685]  Obfuscated PowerShell OneLiner Execution
  T1195_octopus-scanner-malware.txt  [T1195,T1195.001]  Octopus Scanner Malware
  T1218.008_odbcconf-exe-suspicious-dll-location.txt  [T1218.008]  Odbcconf.EXE Suspicious DLL Location
  T1566.001_office-macro-file-creation-from-suspicious-process.txt  [T1566.001]  Office Macro File Creation From Suspicious Process
  T1112_office-macros-warning-disabled.txt  [T1112]  Office Macros Warning Disabled
  T1566_okta-fastpass-phishing-detection.txt  [T1566]  Okta FastPass Phishing Detection
  T1078.004_okta-new-admin-console-behaviours.txt  [T1078.004]  Okta New Admin Console Behaviours
  T1586.003_okta-suspicious-activity-reported-by-end-user.txt  [T1586.003]  Okta Suspicious Activity Reported by End-user
  T1685_okta-user-session-start-via-an-anonymising-proxy-service.txt  [T1685]  Okta User Session Start Via An Anonymising Proxy Service
  T1218.001_onenote-exe-execution-of-malicious-embedded-scripts.txt  [T1218.001]  OneNote.EXE Execution of Malicious Embedded Scripts
  onyx-sleet-apt-file-creation-indicators.txt  []  Onyx Sleet APT File Creation Indicators
  T1021_opencanary-ftp-login-attempt.txt  [T1021,T1190]  OpenCanary - FTP Login Attempt
  T1213_opencanary-git-clone-request.txt  [T1213]  OpenCanary - GIT Clone Request
  T1190_opencanary-http-get-request.txt  [T1190]  OpenCanary - HTTP GET Request
  T1190_opencanary-http-post-login-attempt.txt  [T1190]  OpenCanary - HTTP POST Login Attempt
  T1090_opencanary-httpproxy-login-attempt.txt  [T1090]  OpenCanary - HTTPPROXY Login Attempt
  T1046_opencanary-host-port-scan-syn-scan.txt  [T1046]  OpenCanary - Host Port Scan (SYN Scan)
  T1003_opencanary-mssql-login-attempt-via-sqlauth.txt  [T1003,T1213]  OpenCanary - MSSQL Login Attempt Via SQLAuth
  T1003_opencanary-mssql-login-attempt-via-windows-authentication.txt  [T1003,T1213]  OpenCanary - MSSQL Login Attempt Via Windows Authentication
  T1003_opencanary-mysql-login-attempt.txt  [T1003,T1213]  OpenCanary - MySQL Login Attempt
  T1046_opencanary-nmap-fin-scan.txt  [T1046]  OpenCanary - NMAP FIN Scan
  T1046_opencanary-nmap-null-scan.txt  [T1046]  OpenCanary - NMAP NULL Scan
  T1046_opencanary-nmap-os-scan.txt  [T1046]  OpenCanary - NMAP OS Scan
  T1046_opencanary-nmap-xmas-scan.txt  [T1046]  OpenCanary - NMAP XMAS Scan
  T1498_opencanary-ntp-monlist-request.txt  [T1498]  OpenCanary - NTP Monlist Request
  T1021.001_opencanary-rdp-new-connection-attempt.txt  [T1021.001,T1133]  OpenCanary - RDP New Connection Attempt
  T1003_opencanary-redis-action-command-attempt.txt  [T1003,T1213]  OpenCanary - REDIS Action Command Attempt
  T1123_opencanary-sip-request.txt  [T1123]  OpenCanary - SIP Request
  T1005_opencanary-smb-file-open-request.txt  [T1005,T1021]  OpenCanary - SMB File Open Request
  T1016_opencanary-snmp-oid-request.txt  [T1016,T1021]  OpenCanary - SNMP OID Request
  T1021_opencanary-ssh-login-attempt.txt  [T1021,T1078,T1133]  OpenCanary - SSH Login Attempt
  T1021_opencanary-ssh-new-connection-attempt.txt  [T1021,T1078,T1133]  OpenCanary - SSH New Connection Attempt
  T1041_opencanary-tftp-request.txt  [T1041]  OpenCanary - TFTP Request
  T1078_opencanary-telnet-login-attempt.txt  [T1078,T1133]  OpenCanary - Telnet Login Attempt
  T1021_opencanary-vnc-connection-attempt.txt  [T1021]  OpenCanary - VNC Connection Attempt
  T1218_openwith-exe-executes-specified-binary.txt  [T1218]  OpenWith.exe Executes Specified Binary
  T1012_operation-wocao-activity.txt  [T1012,T1027,T1036.004,T1053.005,T1059.001]  Operation Wocao Activity
  T1012_operation-wocao-activity-security.txt  [T1012,T1027,T1036.004,T1053.005,T1059.001]  Operation Wocao Activity - Security
  T1059.003_operator-bloopers-cobalt-strike-commands.txt  [T1059.003]  Operator Bloopers Cobalt Strike Commands
  T1059.003_operator-bloopers-cobalt-strike-modules.txt  [T1059.003]  Operator Bloopers Cobalt Strike Modules
  T1190_oracle-weblogic-exploit-cve-2020-14882.txt  [T1190]  Oracle WebLogic Exploit CVE-2020-14882
  T1218.003_outbound-network-connection-initiated-by-cmstp-exe.txt  [T1218.003]  Outbound Network Connection Initiated By Cmstp.EXE
  T1071.001_outbound-network-connection-initiated-by-microsoft-dialer.txt  [T1071.001]  Outbound Network Connection Initiated By Microsoft Dialer
  T1105_outbound-network-connection-initiated-by-script-interpreter.txt  [T1105]  Outbound Network Connection Initiated By Script Interpreter
  T1195.001_outdated-dependency-or-vulnerability-alert-disabled.txt  [T1195.001]  Outdated Dependency Or Vulnerability Alert Disabled
  T1059_outlook-enableunsafeclientmailrules-setting-enabled.txt  [T1059,T1202]  Outlook EnableUnsafeClientMailRules Setting Enabled
  T1112_outlook-enableunsafeclientmailrules-setting-enabled-registry.txt  [T1112]  Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
  T1008_outlook-macro-execution-without-warning-setting-enabled.txt  [T1008,T1137,T1546]  Outlook Macro Execution Without Warning Setting Enabled
  T1059_pcre-net-package-image-load.txt  [T1059]  PCRE.NET Package Image Load
  T1059_pcre-net-package-temp-files.txt  [T1059]  PCRE.NET Package Temp Files
  pdf-file-created-by-regedit-exe.txt  []  PDF File Created By RegEdit.EXE
  T1078_pim-alert-setting-changes-to-disabled.txt  [T1078]  PIM Alert Setting Changes To Disabled
  T1078.004_pim-approvals-and-deny-elevation.txt  [T1078.004]  PIM Approvals And Deny Elevation
  T1003.001_ppl-tampering-via-werfaultsecure.txt  [T1003.001,T1685]  PPL Tampering Via WerFaultSecure
  T1059.001_psasyncshell-asynchronous-tcp-reverse-shell.txt  [T1059.001]  PSAsyncShell - Asynchronous TCP Reverse Shell
  T1136.002_psexec-remote-execution-file-artefact.txt  [T1136.002,T1543.003,T1570]  PSEXEC Remote Execution File Artefact
  T1047_psexec-and-wmi-process-creations-block.txt  [T1047,T1569.002]  PSExec and WMI Process Creations Block
  T1572_pua-3proxy-execution.txt  [T1572]  PUA - 3Proxy Execution
  T1018_pua-adfind-suspicious-execution.txt  [T1018,T1069.002,T1087.002,T1482]  PUA - AdFind Suspicious Execution
  T1134.002_pua-advancedrun-suspicious-execution.txt  [T1134.002]  PUA - AdvancedRun Suspicious Execution
  T1090.001_pua-chisel-tunneling-tool-execution.txt  [T1090.001]  PUA - Chisel Tunneling Tool Execution
  T1685_pua-cleanwipe-execution.txt  [T1685]  PUA - CleanWipe Execution
  T1590.001_pua-crassus-execution.txt  [T1590.001]  PUA - Crassus Execution
  T1569.002_pua-csexec-execution.txt  [T1569.002,T1587.001]  PUA - CsExec Execution
  T1003.003_pua-dit-snapshot-viewer.txt  [T1003.003]  PUA - DIT Snapshot Viewer
  T1027.005_pua-defendercheck-execution.txt  [T1027.005]  PUA - DefenderCheck Execution
  T1090_pua-fast-reverse-proxy-frp-execution.txt  [T1090]  PUA - Fast Reverse Proxy (FRP) Execution
  T1543.003_pua-kernel-driver-utility-kdu-execution.txt  [T1543.003]  PUA - Kernel Driver Utility (KDU) Execution
  T1003_pua-memory-dump-mount-via-memprocfs.txt  [T1003,T1003.001,T1003.002,T1003.004]  PUA - Memory Dump Mount Via MemProcFS
  T1090_pua-nps-tunneling-tool-execution.txt  [T1090]  PUA - NPS Tunneling Tool Execution
  T1569.002_pua-nsudo-execution.txt  [T1569.002]  PUA - NSudo Execution
  T1095_pua-netcat-suspicious-execution.txt  [T1095]  PUA - Netcat Suspicious Execution
  T1572_pua-ngrok-execution.txt  [T1572]  PUA - Ngrok Execution
  T1105_pua-nimgrab-execution.txt  [T1105]  PUA - Nimgrab Execution
  T1569.002_pua-nircmd-execution-as-local-system.txt  [T1569.002]  PUA - NirCmd Execution As LOCAL SYSTEM
  T1595_pua-pingcastle-execution-from-potentially-suspicious-parent.txt  [T1595]  PUA - PingCastle Execution From Potentially Suspicious Parent
  T1543_pua-process-hacker-driver-load.txt  [T1543]  PUA - Process Hacker Driver Load
  T1567.002_pua-rclone-execution.txt  [T1567.002]  PUA - Rclone Execution
  T1048_pua-restic-backup-tool-execution.txt  [T1048,T1567.002]  PUA - Restic Backup Tool Execution
  T1569.002_pua-runxcmd-execution.txt  [T1569.002]  PUA - RunXCmd Execution
  T1083_pua-seatbelt-execution.txt  [T1083,T1087,T1526]  PUA - Seatbelt Execution
  T1087.002_pua-suspicious-activedirectory-enumeration-via-adfind-exe.txt  [T1087.002]  PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
  T1059_pua-wsudo-suspicious-execution.txt  [T1059]  PUA - Wsudo Suspicious Execution
  T1090_pua-iox-tunneling-tool-execution.txt  [T1090]  PUA- IOX Tunneling Tool Execution
  papercut-mf-ng-exploitation-related-indicators.txt  []  PaperCut MF/NG Exploitation Related Indicators
  papercut-mf-ng-potential-exploitation.txt  []  PaperCut MF/NG Potential Exploitation
  T1098_password-change-on-directory-service-restore-mode-dsrm-accou.txt  [T1098]  Password Change on Directory Service Restore Mode (DSRM) Account
  T1003.001_password-dumper-activity-on-lsass.txt  [T1003.001]  Password Dumper Activity on LSASS
  T1003.001_password-dumper-remote-thread-in-lsass.txt  [T1003.001]  Password Dumper Remote Thread in LSASS
  T1027_password-protected-zip-file-opened-email-attachment.txt  [T1027,T1566.001]  Password Protected ZIP File Opened (Email Attachment)
  T1027_password-protected-zip-file-opened-suspicious-filenames.txt  [T1027,T1036,T1105]  Password Protected ZIP File Opened (Suspicious Filenames)
  T1110_password-spray-activity.txt  [T1110]  Password Spray Activity
  peach-sandstorm-apt-process-activity-indicators.txt  []  Peach Sandstorm APT Process Activity Indicators
  persistence-via-hhctrl-ocx.txt  []  Persistence Via Hhctrl.ocx
  T1053.005_persistence-and-execution-at-scale-via-gpo-scheduled-task.txt  [T1053.005]  Persistence and Execution at Scale via GPO Scheduled Task
  T1187_petitpotam-suspicious-kerberos-tgt-request.txt  [T1187]  PetitPotam Suspicious Kerberos TGT Request
  T1566_phishing-pattern-iso-in-archive.txt  [T1566]  Phishing Pattern ISO in Archive
  pikabot-fake-dll-extension-execution-via-rundll32-exe.txt  []  Pikabot Fake DLL Extension Execution Via Rundll32.EXE
  T1027_ping-hex-ip.txt  [T1027,T1140]  Ping Hex IP
  T1574.001_pingback-backdoor-activity.txt  [T1574.001]  Pingback Backdoor Activity
  T1574.001_pingback-backdoor-dll-loading-activity.txt  [T1574.001]  Pingback Backdoor DLL Loading Activity
  T1574.001_pingback-backdoor-file-indicators.txt  [T1574.001]  Pingback Backdoor File Indicators
  T1569_possible-cve-2021-1675-print-spooler-exploitation.txt  [T1569]  Possible CVE-2021-1675 Print Spooler Exploitation
  T1033_possible-dcsync-attack.txt  [T1033]  Possible DCSync Attack
  T1210_possible-exploitation-of-exchange-rce-cve-2021-42321.txt  [T1210]  Possible Exploitation of Exchange RCE CVE-2021-42321
  T1003.002_possible-impacket-secretdump-remote-activity.txt  [T1003.002,T1003.003,T1003.004]  Possible Impacket SecretDump Remote Activity
  T1003.002_possible-impacket-secretdump-remote-activity-zeek.txt  [T1003.002,T1003.003,T1003.004]  Possible Impacket SecretDump Remote Activity - Zeek
  T1187_possible-petitpotam-coerce-authentication-attempt.txt  [T1187]  Possible PetitPotam Coerce Authentication Attempt
  T1574.011_possible-privilege-escalation-via-weak-service-permissions.txt  [T1574.011]  Possible Privilege Escalation via Weak Service Permissions
  T1556_possible-shadow-credentials-added.txt  [T1556]  Possible Shadow Credentials Added
  T1053_potential-actinium-persistence-activity.txt  [T1053,T1053.005]  Potential ACTINIUM Persistence Activity
  T1685_potential-amsi-bypass-via-net-reflection.txt  [T1685]  Potential AMSI Bypass Via .NET Reflection
  T1685_potential-amsi-com-server-hijacking.txt  [T1685]  Potential AMSI COM Server Hijacking
  T1059.001_potential-apt-fin7-powerhold-execution.txt  [T1059.001]  Potential APT FIN7 POWERHOLD Execution
  potential-apt-fin7-reconnaissance-powertrash-related-activit.txt  []  Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
  potential-apt-fin7-related-powershell-script-created.txt  []  Potential APT FIN7 Related PowerShell Script Created
  potential-apt-mustang-panda-activity-against-australian-gov.txt  []  Potential APT Mustang Panda Activity Against Australian Gov
  T1059.005_potential-apt10-cloud-hopper-activity.txt  [T1059.005]  Potential APT10 Cloud Hopper Activity
  T1003.001_potential-adplus-exe-abuse.txt  [T1003.001]  Potential Adplus.EXE Abuse
  T1127_potential-arbitrary-code-execution-via-node-exe.txt  [T1127]  Potential Arbitrary Code Execution Via Node.EXE
  T1202_potential-arbitrary-command-execution-using-msdt-exe.txt  [T1202]  Potential Arbitrary Command Execution Using Msdt.EXE
  T1202_potential-arbitrary-file-download-using-office-application.txt  [T1202]  Potential Arbitrary File Download Using Office Application
  T1059_potential-atlassian-confluence-cve-2021-26084-exploitation-a.txt  [T1059,T1190]  Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
  potential-attachment-manager-settings-associations-tamper.txt  []  Potential Attachment Manager Settings Associations Tamper
  potential-attachment-manager-settings-attachments-tamper.txt  []  Potential Attachment Manager Settings Attachments Tamper
  T1685.001_potential-autologger-sessions-tampering.txt  [T1685.001]  Potential AutoLogger Sessions Tampering
  T1012_potential-baby-shark-malware-activity.txt  [T1012,T1059.001,T1059.003,T1218.005]  Potential Baby Shark Malware Activity
  T1140_potential-base64-decoded-from-images.txt  [T1140]  Potential Base64 Decoded From Images
  T1053.005_potential-bearlpe-exploitation.txt  [T1053.005]  Potential BearLPE Exploitation
  T1059.001_potential-blackbyte-ransomware-activity.txt  [T1059.001,T1140,T1485,T1498]  Potential BlackByte Ransomware Activity
  T1059.001_potential-bumblebee-remote-thread-creation.txt  [T1059.001,T1218.011]  Potential Bumblebee Remote Thread Creation
  potential-coldsteel-persistence-service-dll-creation.txt  []  Potential COLDSTEEL Persistence Service DLL Creation
  potential-coldsteel-persistence-service-dll-load.txt  []  Potential COLDSTEEL Persistence Service DLL Load
  potential-coldsteel-rat-file-indicators.txt  []  Potential COLDSTEEL RAT File Indicators
  potential-coldsteel-rat-windows-user-creation.txt  []  Potential COLDSTEEL RAT Windows User Creation
  T1219.002_potential-csharp-streamer-rat-loading-net-executable-image.txt  [T1219.002]  Potential CSharp Streamer RAT Loading .NET Executable Image
  T1190_potential-cve-2021-26084-exploitation-attempt.txt  [T1190]  Potential CVE-2021-26084 Exploitation Attempt
  T1203_potential-cve-2021-26857-exploitation-attempt.txt  [T1203]  Potential CVE-2021-26857 Exploitation Attempt
  T1059_potential-cve-2021-40444-exploitation-attempt.txt  [T1059]  Potential CVE-2021-40444 Exploitation Attempt
  T1190_potential-cve-2021-44228-exploitation-attempt-vmware-horizon.txt  [T1190]  Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
  T1190_potential-cve-2022-21587-exploitation-attempt.txt  [T1190]  Potential CVE-2022-21587 Exploitation Attempt
  T1190_potential-cve-2022-26809-exploitation-attempt.txt  [T1190,T1569.002]  Potential CVE-2022-26809 Exploitation Attempt
  T1190_potential-cve-2022-46169-exploitation-attempt.txt  [T1190]  Potential CVE-2022-46169 Exploitation Attempt
  potential-cve-2023-21554-queuejumper-exploitation.txt  []  Potential CVE-2023-21554 QueueJumper Exploitation
  T1190_potential-cve-2023-23752-exploitation-attempt.txt  [T1190]  Potential CVE-2023-23752 Exploitation Attempt
  potential-cve-2023-25157-exploitation-attempt.txt  []  Potential CVE-2023-25157 Exploitation Attempt
  T1190_potential-cve-2023-25717-exploitation-attempt.txt  [T1190]  Potential CVE-2023-25717 Exploitation Attempt
  T1505.001_potential-cve-2023-27363-exploitation-hta-file-creation-by-f.txt  [T1505.001]  Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
  potential-cve-2023-36874-exploitation-fake-wermgr-execution.txt  []  Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
  potential-cve-2023-36874-exploitation-fake-wermgr-exe-creati.txt  []  Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
  potential-cve-2023-36884-exploitation-share-access.txt  []  Potential CVE-2023-36884 Exploitation - Share Access
  potential-cve-2023-36884-exploitation-url-marker.txt  []  Potential CVE-2023-36884 Exploitation - URL Marker
  potential-cve-2024-3400-exploitation-palo-alto-globalprotect.txt  []  Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
  T1187_potential-cve-2026-33829-exploitation-windows-snipping-tool.txt  [T1187]  Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
  potential-cve-2303-36884-url-request-pattern-traffic.txt  []  Potential CVE-2303-36884 URL Request Pattern Traffic
  T1190_potential-centos-web-panel-exploitation-attempt-cve-2022-448.txt  [T1190]  Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
  T1204.001_potential-clickfix-execution-pattern-registry.txt  [T1204.001]  Potential ClickFix Execution Pattern - Registry
  T1059_potential-cobaltstrike-process-patterns.txt  [T1059]  Potential CobaltStrike Process Patterns
  T1021.002_potential-cobaltstrike-service-installations-registry.txt  [T1021.002,T1543.003,T1569.002]  Potential CobaltStrike Service Installations - Registry
  T1027_potential-commandline-obfuscation-using-unicode-characters-f.txt  [T1027]  Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
  T1059.003_potential-commandline-path-traversal-via-cmd-exe.txt  [T1059.003]  Potential CommandLine Path Traversal Via Cmd.EXE
  potential-compromised-3cxdesktopapp-beaconing-activity-dns.txt  []  Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
  potential-compromised-3cxdesktopapp-beaconing-activity-netco.txt  []  Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
  potential-compromised-3cxdesktopapp-beaconing-activity-proxy.txt  []  Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
  T1218_potential-compromised-3cxdesktopapp-execution.txt  [T1218]  Potential Compromised 3CXDesktopApp Execution
  potential-compromised-3cxdesktopapp-ico-c2-file-download.txt  []  Potential Compromised 3CXDesktopApp ICO C2 File Download
  T1218_potential-compromised-3cxdesktopapp-update-activity.txt  [T1218]  Potential Compromised 3CXDesktopApp Update Activity
  T1005_potential-conti-ransomware-database-dumping-activity-via-sql.txt  [T1005]  Potential Conti Ransomware Database Dumping Activity Via SQLCmd
  T1003_potential-credential-dumping-attempt-using-new-networkprovid.txt  [T1003]  Potential Credential Dumping Attempt Using New NetworkProvider - CLI
  T1003.001_potential-credential-dumping-attempt-via-powershell-remote-t.txt  [T1003.001]  Potential Credential Dumping Attempt Via PowerShell Remote Thread
  T1003.001_potential-credential-dumping-via-wer.txt  [T1003.001]  Potential Credential Dumping Via WER
  T1496_potential-crypto-mining-activity.txt  [T1496]  Potential Crypto Mining Activity
  T1574.001_potential-dll-sideloading-of-keyscramblerie-dll-via-keyscram.txt  [T1574.001]  Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
  T1574.001_potential-dll-sideloading-of-non-existent-dlls-from-system-f.txt  [T1574.001]  Potential DLL Sideloading Of Non-Existent DLLs From System Folders
  T1574.001_potential-dll-sideloading-via-vmware-xfer.txt  [T1574.001]  Potential DLL Sideloading Via VMware Xfer
  T1574.001_potential-dll-sideloading-via-comctl32-dll.txt  [T1574.001]  Potential DLL Sideloading Via comctl32.dll
  T1059.001_potential-data-exfiltration-activity-via-commandline-tools.txt  [T1059.001]  Potential Data Exfiltration Activity Via CommandLine Tools
  T1185_potential-data-stealing-via-chromium-headless-debugging.txt  [T1185,T1564.003]  Potential Data Stealing Via Chromium Headless Debugging
  potential-defense-evasion-activity-via-emoji-usage-in-comman.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
  potential-defense-evasion-activity-via-emoji-usage-in-comman_2.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
  potential-defense-evasion-activity-via-emoji-usage-in-comman_3.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
  potential-defense-evasion-activity-via-emoji-usage-in-comman_4.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
  T1036.003_potential-defense-evasion-via-rename-of-highly-relevant-bina.txt  [T1036.003]  Potential Defense Evasion Via Rename Of Highly Relevant Binaries
  T1036.002_potential-defense-evasion-via-right-to-left-override.txt  [T1036.002]  Potential Defense Evasion Via Right-to-Left Override
  T1218_potential-devil-bait-malware-reconnaissance.txt  [T1218]  Potential Devil Bait Malware Reconnaissance
  potential-devil-bait-related-indicator.txt  []  Potential Devil Bait Related Indicator
  T1574.001_potential-eacore-dll-sideloading.txt  [T1574.001]  Potential EACore.DLL Sideloading
  T1574.001_potential-edputil-dll-sideloading.txt  [T1574.001]  Potential Edputil.DLL Sideloading
  T1027_potential-emotet-activity.txt  [T1027,T1059.001]  Potential Emotet Activity
  T1218.010_potential-empiremonkey-activity.txt  [T1218.010]  Potential EmpireMonkey Activity
  T1685.001_potential-eventlog-file-location-tampering.txt  [T1685.001]  Potential EventLog File Location Tampering
  T1021.003_potential-excel-exe-dcom-lateral-movement-via-activatemicros.txt  [T1021.003]  Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
  potential-exploitation-attempt-from-office-application.txt  []  Potential Exploitation Attempt From Office Application
  T1190_potential-exploitation-attempt-of-undocumented-windowsserver.txt  [T1190]  Potential Exploitation Attempt Of Undocumented WindowsServer RCE
  potential-exploitation-of-cve-2024-3094-suspicious-ssh-child.txt  []  Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
  potential-exploitation-of-cve-2024-37085-suspicious-creation.txt  []  Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
  potential-exploitation-of-cve-2024-37085-suspicious-esx-admi.txt  []  Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
  T1190_potential-exploitation-of-cve-2025-4427-4428-ivanti-epmm-pre.txt  [T1190,T1203]  Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
  T1059.001_potential-exploitation-of-crushftp-rce-vulnerability-cve-202.txt  [T1059.001,T1059.003,T1068,T1190]  Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
  T1059.001_potential-exploitation-of-goanywhere-mft-vulnerability.txt  [T1059.001,T1133,T1190]  Potential Exploitation of GoAnywhere MFT Vulnerability
  T1105_potential-exploitation-of-rce-vulnerability-cve-2025-33053.txt  [T1105,T1218]  Potential Exploitation of RCE Vulnerability CVE-2025-33053
  T1105_potential-exploitation-of-rce-vulnerability-cve-2025-33053-i.txt  [T1105,T1218]  Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
  T1105_potential-exploitation-of-rce-vulnerability-cve-2025-33053-p.txt  [T1105,T1218]  Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
  T1036.002_potential-file-extension-spoofing-using-right-to-left-overri.txt  [T1036.002]  Potential File Extension Spoofing Using Right-to-Left Override
  T1485_potential-file-overwrite-via-sysinternals-sdelete.txt  [T1485]  Potential File Overwrite Via Sysinternals SDelete
  T1082_potential-gobrat-file-discovery-via-grep.txt  [T1082]  Potential GobRAT File Discovery Via Grep
  potential-goofy-guineapig-backdoor-activity.txt  []  Potential Goofy Guineapig Backdoor Activity
  potential-goofy-guineapig-goolgeupdate-process-anomaly.txt  []  Potential Goofy Guineapig GoolgeUpdate Process Anomaly
  T1190_potential-information-disclosure-cve-2023-43261-exploitation.txt  [T1190]  Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
  T1190_potential-information-disclosure-cve-2023-43261-exploitation_2.txt  [T1190]  Potential Information Disclosure CVE-2023-43261 Exploitation - Web
  T1003_potential-invoke-mimikatz-powershell-script.txt  [T1003]  Potential Invoke-Mimikatz PowerShell Script
  T1574.001_potential-iviewers-dll-sideloading.txt  [T1574.001]  Potential Iviewers.DLL Sideloading
  T1574.001_potential-jli-dll-side-loading.txt  [T1574.001]  Potential JLI.dll Side-Loading
  T1190_potential-jndi-injection-exploitation-in-jvm-based-applicati.txt  [T1190]  Potential JNDI Injection Exploitation In JVM Based Application
  T1505.003_potential-java-webshell-upload-in-sap-netviewer-server.txt  [T1505.003]  Potential Java WebShell Upload in SAP NetViewer Server
  potential-kdc-rc4-hmac-downgrade-exploit-cve-2022-37966.txt  []  Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
  T1547.001_potential-kamikakabot-activity-winlogon-shell-persistence.txt  [T1547.001]  Potential KamiKakaBot Activity - Winlogon Shell Persistence
  potential-kapeka-decrypted-backdoor-indicator.txt  []  Potential Kapeka Decrypted Backdoor Indicator
  T1685_potential-ke3chang-tidepool-malware-activity.txt  [T1685]  Potential Ke3chang/TidePool Malware Activity
  T1557.003_potential-kerberos-coercion-by-spoofing-spns-via-dns-manipul.txt  [T1557.003]  Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
  T1003.001_potential-lsass-process-dump-via-procdump.txt  [T1003.001,T1036]  Potential LSASS Process Dump Via Procdump
  T1218.005_potential-lethalhta-technique-execution.txt  [T1218.005]  Potential LethalHTA Technique Execution
  T1190_potential-local-file-read-vulnerability-in-jvm-based-applica.txt  [T1190]  Potential Local File Read Vulnerability In JVM Based Application
  T1078.004_potential-mfa-bypass-using-legacy-client-authentication.txt  [T1078.004,T1110]  Potential MFA Bypass Using Legacy Client Authentication
  T1190_potential-moveit-transfer-cve-2023-34362-exploitation-file-a.txt  [T1190]  Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
  T1563.002_potential-mstsc-shadowing-activity.txt  [T1563.002]  Potential MSTSC Shadowing Activity
  T1216_potential-manage-bde-wsf-abuse-to-proxy-execution.txt  [T1216]  Potential Manage-bde.wsf Abuse To Proxy Execution
  T1134.001_potential-meterpreter-cobaltstrike-activity.txt  [T1134.001,T1134.002]  Potential Meterpreter/CobaltStrike Activity
  T1574.001_potential-mpclient-dll-sideloading.txt  [T1574.001]  Potential Mpclient.DLL Sideloading
  T1574.001_potential-mpclient-dll-sideloading-via-defender-binaries.txt  [T1574.001]  Potential Mpclient.DLL Sideloading Via Defender Binaries
  T1036.005_potential-msiexec-masquerading.txt  [T1036.005]  Potential MsiExec Masquerading
  potential-muddywater-apt-activity.txt  []  Potential MuddyWater APT Activity
  T1218_potential-ntlm-coercion-via-certutil-exe.txt  [T1218]  Potential NTLM Coercion Via Certutil.EXE
  T1112_potential-netwire-rat-activity-registry.txt  [T1112]  Potential NetWire RAT Activity - Registry
  T1059_potential-netcat-reverse-shell-execution.txt  [T1059]  Potential Netcat Reverse Shell Execution
  T1068_potential-nimbuspwn-exploit-cve-2022-29799-and-cve-2022-2780.txt  [T1068]  Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800
  T1574.008_potential-notepad-cve-2025-49144-exploitation.txt  [T1574.008]  Potential Notepad++ CVE-2025-49144 Exploitation
  T1190_potential-ognl-injection-exploitation-in-jvm-based-applicati.txt  [T1190]  Potential OGNL Injection Exploitation In JVM Based Application
  T1190_potential-owassrf-exploitation-attempt-proxy.txt  [T1190]  Potential OWASSRF Exploitation Attempt - Proxy
  T1190_potential-owassrf-exploitation-attempt-webserver.txt  [T1190]  Potential OWASSRF Exploitation Attempt - Webserver
  T1552_potential-okta-password-in-alternateid-field.txt  [T1552]  Potential Okta Password in AlternateID Field
  potential-operation-triangulation-c2-beaconing-activity-dns.txt  []  Potential Operation Triangulation C2 Beaconing Activity - DNS
  potential-operation-triangulation-c2-beaconing-activity-prox.txt  []  Potential Operation Triangulation C2 Beaconing Activity - Proxy
  potential-php-reverse-shell.txt  []  Potential PHP Reverse Shell
  T1059.001_potential-powertrash-script-execution.txt  [T1059.001]  Potential POWERTRASH Script Execution
  T1546.015_potential-psfactorybuffer-com-hijacking.txt  [T1546.015]  Potential PSFactoryBuffer COM Hijacking
  potential-perl-reverse-shell-execution.txt  []  Potential Perl Reverse Shell Execution
  T1546.012_potential-persistence-via-app-paths-default-property.txt  [T1546.012]  Potential Persistence Via App Paths Default Property
  potential-persistence-via-autodialdll.txt  []  Potential Persistence Via AutodialDLL
  potential-persistence-via-chm-helper-dll.txt  []  Potential Persistence Via CHM Helper DLL
  potential-persistence-via-dllpathoverride.txt  []  Potential Persistence Via DLLPathOverride
  T1137.006_potential-persistence-via-excel-add-in-registry.txt  [T1137.006]  Potential Persistence Via Excel Add-in - Registry
  T1546.012_potential-persistence-via-globalflags.txt  [T1546.012]  Potential Persistence Via GlobalFlags
  potential-persistence-via-lsa-extensions.txt  []  Potential Persistence Via LSA Extensions
  T1037.001_potential-persistence-via-logon-scripts-commandline.txt  [T1037.001]  Potential Persistence Via Logon Scripts - CommandLine
  T1137.006_potential-persistence-via-microsoft-office-add-in.txt  [T1137.006]  Potential Persistence Via Microsoft Office Add-In
  T1137_potential-persistence-via-microsoft-office-startup-folder.txt  [T1137]  Potential Persistence Via Microsoft Office Startup Folder
  potential-persistence-via-mpnotify.txt  []  Potential Persistence Via Mpnotify
  potential-persistence-via-mycomputer-registry-keys.txt  []  Potential Persistence Via MyComputer Registry Keys
  T1137.003_potential-persistence-via-outlook-form.txt  [T1137.003]  Potential Persistence Via Outlook Form
  T1112_potential-persistence-via-outlook-home-page.txt  [T1112]  Potential Persistence Via Outlook Home Page
  T1008_potential-persistence-via-outlook-loadmacroprovideronboot-se.txt  [T1008,T1137,T1546]  Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
  T1112_potential-persistence-via-outlook-today-page.txt  [T1112]  Potential Persistence Via Outlook Today Page
  T1543.001_potential-persistence-via-plistbuddy.txt  [T1543.001,T1543.004]  Potential Persistence Via PlistBuddy
  T1053.005_potential-persistence-via-powershell-search-order-hijacking.txt  [T1053.005,T1059.001]  Potential Persistence Via Powershell Search Order Hijacking - Task
  potential-persistence-via-security-descriptors-scriptblock.txt  []  Potential Persistence Via Security Descriptors - ScriptBlock
  T1546.011_potential-persistence-via-shim-database-in-uncommon-location.txt  [T1546.011]  Potential Persistence Via Shim Database In Uncommon Location
  potential-persistence-via-typedpaths.txt  []  Potential Persistence Via TypedPaths
  T1573_potential-pikabot-c2-activity.txt  [T1573]  Potential Pikabot C2 Activity
  T1016_potential-pikabot-discovery-activity.txt  [T1016,T1049,T1087]  Potential Pikabot Discovery Activity
  T1055.012_potential-pikabot-hollowing-activity.txt  [T1055.012]  Potential Pikabot Hollowing Activity
  T1574.001_potential-plugx-activity.txt  [T1574.001]  Potential PlugX Activity
  T1027_potential-powershell-command-line-obfuscation.txt  [T1027,T1059.001]  Potential PowerShell Command Line Obfuscation
  potential-powershell-execution-policy-tampering-proccreation.txt  []  Potential PowerShell Execution Policy Tampering - ProcCreation
  T1218.011_potential-powershell-execution-via-dll.txt  [T1218.011]  Potential PowerShell Execution Via DLL
  T1027_potential-powershell-obfuscation-via-reversed-commands.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Via Reversed Commands
  T1027_potential-powershell-obfuscation-via-wchar-char.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Via WCHAR/CHAR
  T1059.001_potential-powershell-reverseshell-connection.txt  [T1059.001]  Potential Powershell ReverseShell Connection
  T1574_potential-printnightmare-exploitation-attempt.txt  [T1574]  Potential PrintNightmare Exploitation Attempt
  potential-privilege-escalation-attempt-via-exe-local-techniq.txt  []  Potential Privilege Escalation Attempt Via .Exe.Local Technique
  T1587.001_potential-privilege-escalation-to-local-system.txt  [T1587.001]  Potential Privilege Escalation To LOCAL SYSTEM
  T1546.008_potential-privilege-escalation-using-symlink-between-osk-and.txt  [T1546.008]  Potential Privilege Escalation Using Symlink Between Osk and Cmd
  T1548_potential-privilege-escalation-via-local-kerberos-relay-over.txt  [T1548]  Potential Privilege Escalation via Local Kerberos Relay over LDAP
  T1574.011_potential-privilege-escalation-via-service-permissions-weakn.txt  [T1574.011]  Potential Privilege Escalation via Service Permissions Weakness
  T1055_potential-process-injection-via-msra-exe.txt  [T1055]  Potential Process Injection Via Msra.EXE
  T1218_potential-provisioning-registry-key-abuse-for-binary-proxy-e.txt  [T1218]  Potential Provisioning Registry Key Abuse For Binary Proxy Execution
  T1218_potential-provisioning-registry-key-abuse-for-binary-proxy-e_2.txt  [T1218]  Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
  T1587.001_potential-psexec-remote-execution.txt  [T1587.001]  Potential PsExec Remote Execution
  T1112_potential-qakbot-registry-activity.txt  [T1112]  Potential Qakbot Registry Activity
  potential-qakbot-rundll32-execution.txt  []  Potential Qakbot Rundll32 Execution
  T1190_potential-rce-exploitation-attempt-in-nodejs.txt  [T1190]  Potential RCE Exploitation Attempt In NodeJS
  T1572_potential-rdp-tunneling-via-plink.txt  [T1572]  Potential RDP Tunneling Via Plink
  T1572_potential-rdp-tunneling-via-ssh.txt  [T1572]  Potential RDP Tunneling Via SSH
  T1491.001_potential-ransomware-activity-using-legalnotice-message.txt  [T1491.001]  Potential Ransomware Activity Using LegalNotice Message
  T1574.001_potential-raspberry-robin-aclui-dll-sideloading.txt  [T1574.001]  Potential Raspberry Robin Aclui Dll SideLoading
  T1218.011_potential-raspberry-robin-cpl-execution-activity.txt  [T1218.011]  Potential Raspberry Robin CPL Execution Activity
  potential-raspberry-robin-dot-ending-file.txt  []  Potential Raspberry Robin Dot Ending File
  T1574.001_potential-rcdll-dll-sideloading.txt  [T1574.001]  Potential Rcdll.DLL Sideloading
  potential-recon-activity-using-driverquery-exe.txt  []  Potential Recon Activity Using DriverQuery.EXE
  T1003.005_potential-reconnaissance-for-cached-credentials-via-cmdkey-e.txt  [T1003.005]  Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
  T1053.005_potential-registry-persistence-attempt-via-windows-telemetry.txt  [T1053.005]  Potential Registry Persistence Attempt Via Windows Telemetry
  T1021.006_potential-remote-powershell-session-initiated.txt  [T1021.006,T1059.001]  Potential Remote PowerShell Session Initiated
  T1047_potential-remote-squiblytwo-technique-execution.txt  [T1047,T1059.005,T1059.007,T1220]  Potential Remote SquiblyTwo Technique Execution
  T1218_potential-remotefxvgpudisablement-exe-abuse.txt  [T1218]  Potential RemoteFXvGPUDisablement.EXE Abuse
  T1218_potential-remotefxvgpudisablement-exe-abuse-powershell-modul.txt  [T1218]  Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
  T1218_potential-remotefxvgpudisablement-exe-abuse-powershell-scrip.txt  [T1218]  Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
  potential-renamed-rundll32-execution.txt  []  Potential Renamed Rundll32 Execution
  T1547_potential-ripzip-attack-on-startup-folder.txt  [T1547]  Potential RipZip Attack on Startup Folder
  T1574.001_potential-rjvplatform-dll-sideloading-from-non-default-locat.txt  [T1574.001]  Potential RjvPlatform.DLL Sideloading From Non-Default Location
  T1564.004_potential-rundll32-execution-with-dll-stored-in-ads.txt  [T1564.004]  Potential Rundll32 Execution With DLL Stored In ADS
  T1547.001_potential-ryuk-ransomware-activity.txt  [T1547.001]  Potential Ryuk Ransomware Activity
  T1003.002_potential-sam-database-dump.txt  [T1003.002]  Potential SAM Database Dump
  T1190_potential-sap-netviewer-webshell-command-execution.txt  [T1190,T1505.003]  Potential SAP NetViewer Webshell Command Execution
  potential-snake-malware-installation-cli-arguments-indicator.txt  []  Potential SNAKE Malware Installation CLI Arguments Indicator
  potential-snake-malware-persistence-service-execution.txt  []  Potential SNAKE Malware Persistence Service Execution
  T1053.005_potential-ssh-tunnel-persistence-install-using-a-scheduled-t.txt  [T1053.005]  Potential SSH Tunnel Persistence Install Using A Scheduled Task
  T1190_potential-server-side-template-injection-in-velocity.txt  [T1190]  Potential Server Side Template Injection In Velocity
  T1190_potential-sharepoint-toolshell-cve-2025-53770-exploitation-i.txt  [T1190]  Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
  potential-signing-bypass-via-windows-developer-features.txt  []  Potential Signing Bypass Via Windows Developer Features
  potential-signing-bypass-via-windows-developer-features-regi.txt  []  Potential Signing Bypass Via Windows Developer Features - Registry
  T1574.001_potential-smadhook-dll-sideloading.txt  [T1574.001]  Potential SmadHook.DLL Sideloading
  T1204_potential-snatch-ransomware-activity.txt  [T1204]  Potential Snatch Ransomware Activity
  T1219.002_potential-socgholish-second-stage-c2-dns-query.txt  [T1219.002]  Potential SocGholish Second Stage C2 DNS Query
  T1190_potential-spel-injection-in-spring-framework.txt  [T1190]  Potential SpEL Injection In Spring Framework
  T1547.001_potential-startup-shortcut-persistence-via-powershell-exe.txt  [T1547.001]  Potential Startup Shortcut Persistence Via PowerShell.EXE
  potential-suspicious-bpf-activity-linux.txt  []  Potential Suspicious BPF Activity - Linux
  T1218_potential-suspicious-child-process-of-3cxdesktopapp.txt  [T1218]  Potential Suspicious Child Process Of 3CXDesktopApp
  T1218_potential-suspicious-mofcomp-execution.txt  [T1218]  Potential Suspicious Mofcomp Execution
  potential-suspicious-winget-package-installation.txt  []  Potential Suspicious Winget Package Installation
  T1003.001_potential-sysinternals-procdump-evasion.txt  [T1003.001,T1036]  Potential SysInternals ProcDump Evasion
  T1574.001_potential-system-dll-sideloading-from-non-system-locations.txt  [T1574.001]  Potential System DLL Sideloading From Non System Locations
  T1021.001_potential-tampering-with-rdp-related-registry-keys-via-reg-e.txt  [T1021.001,T1112]  Potential Tampering With RDP Related Registry Keys Via Reg.EXE
  T1685_potential-tampering-with-security-products-via-wmic.txt  [T1685]  Potential Tampering With Security Products Via WMIC
  T1112_potential-ursnif-malware-activity-registry.txt  [T1112]  Potential Ursnif Malware Activity - Registry
  T1574.001_potential-vcruntime140-dll-sideloading.txt  [T1574.001]  Potential Vcruntime140 DLL Sideloading
  T1574.001_potential-waveedit-dll-sideloading.txt  [T1574.001]  Potential Waveedit.DLL Sideloading
  T1036.003_potential-werfault-reflectdebugger-registry-value-abuse.txt  [T1036.003]  Potential WerFault ReflectDebugger Registry Value Abuse
  T1106_potential-winapi-calls-via-commandline.txt  [T1106]  Potential WinAPI Calls Via CommandLine
  T1059.001_potential-winapi-calls-via-powershell-scripts.txt  [T1059.001,T1106]  Potential WinAPI Calls Via PowerShell Scripts
  T1003.001_potential-windows-defender-av-bypass-via-dump64-exe-rename.txt  [T1003.001]  Potential Windows Defender AV Bypass Via Dump64.EXE Rename
  T1047_potential-windows-defender-tampering-via-wmic-exe.txt  [T1047,T1685]  Potential Windows Defender Tampering Via Wmic.EXE
  T1027_potential-winnti-dropper-activity.txt  [T1027]  Potential Winnti Dropper Activity
  potential-wizardupdate-malware-infection.txt  []  Potential WizardUpdate Malware Infection
  T1190_potential-xxe-exploitation-attempt-in-jvm-based-application.txt  [T1190]  Potential XXE Exploitation Attempt In JVM Based Application
  T1068_potential-zerologon-cve-2020-1472-exploitation.txt  [T1068]  Potential Zerologon (CVE-2020-1472) Exploitation
  T1574.001_potential-appverifui-dll-sideloading.txt  [T1574.001]  Potential appverifUI.DLL Sideloading
  T1127_potentially-suspicious-asp-net-compilation-via-aspnetcompile.txt  [T1127]  Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
  potentially-suspicious-call-to-win32-nteventlogfile-class.txt  []  Potentially Suspicious Call To Win32_NTEventlogFile Class
  T1218.010_potentially-suspicious-child-process-of-regsvr32.txt  [T1218.010]  Potentially Suspicious Child Process Of Regsvr32
  T1202_potentially-suspicious-child-processes-spawned-by-conhost.txt  [T1202,T1218]  Potentially Suspicious Child Processes Spawned by ConHost
  T1059.001_potentially-suspicious-command-executed-via-run-dialog-box-r.txt  [T1059.001]  Potentially Suspicious Command Executed Via Run Dialog Box - Registry
  T1218.008_potentially-suspicious-dll-registered-via-odbcconf-exe.txt  [T1218.008]  Potentially Suspicious DLL Registered Via Odbcconf.EXE
  T1548.002_potentially-suspicious-event-viewer-child-process.txt  [T1548.002]  Potentially Suspicious Event Viewer Child Process
  T1059_potentially-suspicious-execution-from-parent-process-in-publ.txt  [T1059,T1564]  Potentially Suspicious Execution From Parent Process In Public Folder
  potentially-suspicious-file-download-from-file-sharing-domai.txt  []  Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
  potentially-suspicious-file-download-from-zip-tld.txt  []  Potentially Suspicious File Download From ZIP TLD
  T1571_potentially-suspicious-malware-callback-communication.txt  [T1571]  Potentially Suspicious Malware Callback Communication
  T1571_potentially-suspicious-malware-callback-communication-linux.txt  [T1571]  Potentially Suspicious Malware Callback Communication - Linux
  T1003_potentially-suspicious-odbc-driver-registered.txt  [T1003]  Potentially Suspicious ODBC Driver Registered
  T1202_potentially-suspicious-office-document-executed-from-trusted.txt  [T1202]  Potentially Suspicious Office Document Executed From Trusted Location
  T1218.010_potentially-suspicious-regsvr32-http-ip-pattern.txt  [T1218.010]  Potentially Suspicious Regsvr32 HTTP IP Pattern
  T1059.001_powershell-adrecon-execution.txt  [T1059.001]  PowerShell ADRecon Execution
  T1059.001_powershell-base64-encoded-frombase64string-cmdlet.txt  [T1059.001,T1140]  PowerShell Base64 Encoded FromBase64String Cmdlet
  T1059.001_powershell-base64-encoded-iex-cmdlet.txt  [T1059.001]  PowerShell Base64 Encoded IEX Cmdlet
  T1027_powershell-base64-encoded-invoke-keyword.txt  [T1027,T1059.001]  PowerShell Base64 Encoded Invoke Keyword
  T1027_powershell-base64-encoded-reflective-assembly-load.txt  [T1027,T1059.001,T1620]  PowerShell Base64 Encoded Reflective Assembly Load
  T1027_powershell-base64-encoded-wmi-classes.txt  [T1027,T1059.001]  PowerShell Base64 Encoded WMI Classes
  T1059.001_powershell-called-from-an-executable-version-mismatch.txt  [T1059.001]  PowerShell Called from an Executable Version Mismatch
  T1059.001_powershell-credential-prompt.txt  [T1059.001]  PowerShell Credential Prompt
  T1685_powershell-defender-threat-severity-default-action-set-to-al.txt  [T1685]  PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
  T1059_powershell-download-and-execution-cradles.txt  [T1059]  PowerShell Download and Execution Cradles
  powershell-execution-with-potential-decryption-capabilities.txt  []  PowerShell Execution With Potential Decryption Capabilities
  T1552.004_powershell-get-process-lsass.txt  [T1552.004]  PowerShell Get-Process LSASS
  T1003.001_powershell-get-process-lsass-in-scriptblock.txt  [T1003.001]  PowerShell Get-Process LSASS in ScriptBlock
  T1112_powershell-logging-disabled-via-registry-key-tampering.txt  [T1112,T1564.001]  PowerShell Logging Disabled Via Registry Key Tampering
  T1059.001_powershell-psattack.txt  [T1059.001]  PowerShell PSAttack
  T1003.002_powershell-sam-copy.txt  [T1003.002]  PowerShell SAM Copy
  powershell-script-change-permission-via-set-acl.txt  []  PowerShell Script Change Permission Via Set-Acl
  T1569.002_powershell-scripts-installed-as-services.txt  [T1569.002]  PowerShell Scripts Installed as Services
  T1569.002_powershell-scripts-installed-as-services-security.txt  [T1569.002]  PowerShell Scripts Installed as Services - Security
  powershell-set-acl-on-windows-folder.txt  []  PowerShell Set-Acl On Windows Folder
  T1222_powershell-set-acl-on-windows-folder-psscript.txt  [T1222]  PowerShell Set-Acl On Windows Folder - PsScript
  T1055_powershell-shellcode.txt  [T1055,T1059.001]  PowerShell ShellCode
  T1548.002_powershell-web-access-feature-enabled-via-dism.txt  [T1548.002]  PowerShell Web Access Feature Enabled Via DISM
  T1059.001_powershell-web-access-installation-psscript.txt  [T1059.001]  PowerShell Web Access Installation - PsScript
  T1569.002_powershell-as-a-service-in-registry.txt  [T1569.002]  PowerShell as a Service in Registry
  T1059.001_powerview-powershell-cmdlets-scriptblock.txt  [T1059.001]  PowerView PowerShell Cmdlets - ScriptBlock
  T1565_powershell-add-name-resolution-policy-table-rule.txt  [T1565]  Powershell Add Name Resolution Policy Table Rule
  T1685_powershell-base64-encoded-mppreference-cmdlet.txt  [T1685]  Powershell Base64 Encoded MpPreference Cmdlet
  T1048_powershell-dnsexfiltration.txt  [T1048]  Powershell DNSExfiltration
  T1685_powershell-defender-disable-scan-feature.txt  [T1685]  Powershell Defender Disable Scan Feature
  T1556.002_powershell-install-a-dll-in-system-directory.txt  [T1556.002]  Powershell Install a DLL in System Directory
  T1027.009_powershell-token-obfuscation-process-creation.txt  [T1027.009]  Powershell Token Obfuscation - Process Creation
  T1098_powerview-add-domainobjectacl-dcsync-ad-extend-right.txt  [T1098]  Powerview Add-DomainObjectAcl DCSync AD Extend Right
  T1070.004_prefetch-file-deleted.txt  [T1070.004]  Prefetch File Deleted
  T1528_primary-refresh-token-access-attempt.txt  [T1528]  Primary Refresh Token Access Attempt
  T1105_printbrm-zip-creation-of-extraction.txt  [T1105,T1564.004]  PrintBrm ZIP Creation of Extraction
  T1021_privilege-escalation-via-named-pipe-impersonation.txt  [T1021]  Privilege Escalation via Named Pipe Impersonation
  T1098_privileged-user-has-been-created.txt  [T1098,T1136.001]  Privileged User Has Been Created
  T1190_process-execution-error-in-jvm-based-application.txt  [T1190]  Process Execution Error In JVM Based Application
  T1036_process-execution-from-a-potentially-suspicious-folder.txt  [T1036]  Process Execution From A Potentially Suspicious Folder
  T1068_process-explorer-driver-creation-by-non-sysinternals-binary.txt  [T1068]  Process Explorer Driver Creation By Non-Sysinternals Binary
  T1102_process-initiated-network-connection-to-ngrok-domain.txt  [T1102,T1567,T1572]  Process Initiated Network Connection To Ngrok Domain
  T1003.001_process-memory-dump-via-comsvcs-dll.txt  [T1003.001,T1036]  Process Memory Dump Via Comsvcs.DLL
  T1003.001_process-memory-dump-via-rdrleakdiag-exe.txt  [T1003.001]  Process Memory Dump via RdrLeakDiag.EXE
  T1543.003_processhacker-privilege-elevation.txt  [T1543.003,T1569.002]  ProcessHacker Privilege Elevation
  T1021.002_protected-storage-service-access.txt  [T1021.002]  Protected Storage Service Access
  T1218_proxy-execution-via-wuauclt-exe.txt  [T1218]  Proxy Execution Via Wuauclt.EXE
  T1036.003_ps-exe-renamed-sysinternals-tool.txt  [T1036.003]  Ps.exe Renamed SysInternals Tool
  psexec-service-child-process-execution-as-local-system.txt  []  PsExec Service Child Process Execution as LOCAL SYSTEM
  T1587.001_psexec-paexec-escalation-to-local-system.txt  [T1587.001]  PsExec/PAExec Escalation to LOCAL SYSTEM
  T1021.001_publicly-accessible-rdp-service.txt  [T1021.001]  Publicly Accessible RDP Service
  T1190_pulse-connect-secure-rce-attack-cve-2021-22893.txt  [T1190]  Pulse Connect Secure RCE Attack CVE-2021-22893
  T1548.001_pwnkit-local-privilege-escalation.txt  [T1548.001]  PwnKit Local Privilege Escalation
  T1685_python-function-execution-security-warning-disabled-in-excel.txt  [T1685]  Python Function Execution Security Warning Disabled In Excel
  T1685_python-function-execution-security-warning-disabled-in-excel_2.txt  [T1685]  Python Function Execution Security Warning Disabled In Excel - Registry
  T1027.010_python-one-liners-with-base64-decoding.txt  [T1027.010,T1059.006]  Python One-Liners with Base64 Decoding
  T1027.010_python-one-liners-with-base64-decoding-linux.txt  [T1027.010,T1059.006]  Python One-Liners with Base64 Decoding - Linux
  python-reverse-shell-execution-via-pty-and-socket-modules.txt  []  Python Reverse Shell Execution Via PTY And Socket Modules
  T1059_python-spawning-pretty-tty-on-windows.txt  [T1059]  Python Spawning Pretty TTY on Windows
  qakbot-regsvr32-calc-pattern.txt  []  Qakbot Regsvr32 Calc Pattern
  qakbot-uninstaller-execution.txt  []  Qakbot Uninstaller Execution
  T1090.003_query-tor-onion-address-dns-client.txt  [T1090.003]  Query Tor Onion Address - DNS Client
  T1686.003_rdp-connection-allowed-via-netsh-exe.txt  [T1686.003]  RDP Connection Allowed Via Netsh.EXE
  T1021.001_rdp-login-from-localhost.txt  [T1021.001]  RDP Login from Localhost
  T1021.001_rdp-over-reverse-ssh-tunnel.txt  [T1021.001,T1572]  RDP Over Reverse SSH Tunnel
  T1090_rdp-port-forwarding-rule-added-via-netsh-exe.txt  [T1090]  RDP Port Forwarding Rule Added Via Netsh.EXE
  T1112_rdp-sensitive-settings-changed.txt  [T1112]  RDP Sensitive Settings Changed
  T1021.001_rdp-over-reverse-ssh-tunnel-wfp.txt  [T1021.001,T1090.001,T1090.002]  RDP over Reverse SSH Tunnel WFP
  T1021.001_rdp-to-http-or-https-target-ports.txt  [T1021.001,T1572]  RDP to HTTP or HTTPS Target Ports
  rtcore-suspicious-service-installation.txt  []  RTCore Suspicious Service Installation
  T1685_raccine-uninstall.txt  [T1685]  Raccine Uninstall
  T1560.001_rar-usage-with-password-and-compression-level.txt  [T1560.001]  Rar Usage with Password and Compression Level
  T1055_rare-remote-thread-creation-by-uncommon-source-image.txt  [T1055]  Rare Remote Thread Creation By Uncommon Source Image
  T1059.001_raspberry-robin-initial-execution-from-external-drive.txt  [T1059.001]  Raspberry Robin Initial Execution From External Drive
  T1059.001_raspberry-robin-subsequent-execution-of-commands.txt  [T1059.001]  Raspberry Robin Subsequent Execution of Commands
  T1071.001_raw-paste-service-access.txt  [T1071.001,T1102.001,T1102.003]  Raw Paste Service Access
  recon-activity-via-sasec.txt  []  Recon Activity via SASec
  T1069.002_reconnaissance-activity.txt  [T1069.002,T1087.002]  Reconnaissance Activity
  T1112_redmimicry-winnti-playbook-registry-manipulation.txt  [T1112]  RedMimicry Winnti Playbook Registry Manipulation
  T1036.005_redsun-conhost-exe-spawned-by-tieringengineservice-exe.txt  [T1036.005,T1134.002]  RedSun - Conhost.exe Spawned by TieringEngineService.exe
  T1112_reg-add-suspicious-paths.txt  [T1112,T1685]  Reg Add Suspicious Paths
  T1548_regedit-as-trusted-installer.txt  [T1548]  Regedit as Trusted Installer
  T1558.003_register-new-logon-process-by-rubeus.txt  [T1558.003]  Register new Logon Process by Rubeus
  T1490_registry-disable-system-restore.txt  [T1490]  Registry Disable System Restore
  T1552.002_registry-export-of-third-party-credentials.txt  [T1552.002]  Registry Export of Third-Party Credentials
  T1112_registry-modification-for-oci-dll-redirection.txt  [T1112,T1574.001]  Registry Modification for OCI DLL Redirection
  T1547_registry-persistence-mechanisms-in-recycle-bin.txt  [T1547]  Registry Persistence Mechanisms in Recycle Bin
  T1547.001_registry-persistence-via-explorer-run-key.txt  [T1547.001]  Registry Persistence via Explorer Run Key
  T1564.001_registry-persistence-via-service-in-safe-mode.txt  [T1564.001]  Registry Persistence via Service in Safe Mode
  T1218.010_regsvr32-dll-execution-with-suspicious-file-extension.txt  [T1218.010]  Regsvr32 DLL Execution With Suspicious File Extension
  T1190_rejetto-http-file-server-rce.txt  [T1190,T1505.003]  Rejetto HTTP File Server RCE
  T1588_relevant-anti-virus-signature-keywords-in-application-log.txt  [T1588]  Relevant Anti-Virus Signature Keywords In Application Log
  T1588.001_relevant-clamav-message.txt  [T1588.001]  Relevant ClamAV Message
  T1219.002_remote-access-tool-anydesk-silent-installation.txt  [T1219.002]  Remote Access Tool - AnyDesk Silent Installation
  T1219.002_remote-access-tool-anydesk-execution-from-suspicious-folder.txt  [T1219.002]  Remote Access Tool - Anydesk Execution From Suspicious Folder
  T1036.003_remote-access-tool-renamed-meshagent-execution-macos.txt  [T1036.003,T1219.002]  Remote Access Tool - Renamed MeshAgent Execution - MacOS
  T1036.003_remote-access-tool-renamed-meshagent-execution-windows.txt  [T1036.003,T1219.002]  Remote Access Tool - Renamed MeshAgent Execution - Windows
  T1190_remote-access-tool-screenconnect-server-web-shell-execution.txt  [T1190]  Remote Access Tool - ScreenConnect Server Web Shell Execution
  remote-appx-package-downloaded-from-file-sharing-or-cdn-doma.txt  []  Remote AppX Package Downloaded from File Sharing or CDN Domain
  T1218.001_remote-chm-file-download-execution-via-hh-exe.txt  [T1218.001]  Remote CHM File Download/Execution Via HH.EXE
  T1021.003_remote-dcom-wmi-lateral-movement.txt  [T1021.003,T1047]  Remote DCOM/WMI Lateral Movement
  remote-encrypting-file-system-abuse.txt  []  Remote Encrypting File System Abuse
  remote-event-log-recon.txt  []  Remote Event Log Recon
  T1003.001_remote-lsass-process-access-through-windows-remote-managemen.txt  [T1003.001,T1021.006,T1059.001]  Remote LSASS Process Access Through Windows Remote Management
  T1021.006_remote-powershell-session-ps-module.txt  [T1021.006,T1059.001]  Remote PowerShell Session (PS Module)
  T1059.001_remote-powershell-sessions-network-connections-winrm.txt  [T1059.001]  Remote PowerShell Sessions Network Connections (WinRM)
  remote-printing-abuse-for-lateral-movement.txt  []  Remote Printing Abuse for Lateral Movement
  T1112_remote-registry-lateral-movement.txt  [T1112]  Remote Registry Lateral Movement
  remote-registry-recon.txt  []  Remote Registry Recon
  T1053_remote-schedule-task-lateral-movement-via-atsvc.txt  [T1053,T1053.002]  Remote Schedule Task Lateral Movement via ATSvc
  T1053_remote-schedule-task-lateral-movement-via-itaskschedulerserv.txt  [T1053,T1053.002]  Remote Schedule Task Lateral Movement via ITaskSchedulerService
  T1053_remote-schedule-task-lateral-movement-via-sasec.txt  [T1053,T1053.002]  Remote Schedule Task Lateral Movement via SASec
  remote-schedule-task-recon-via-atscv.txt  []  Remote Schedule Task Recon via AtScv
  remote-schedule-task-recon-via-itaskschedulerservice.txt  []  Remote Schedule Task Recon via ITaskSchedulerService
  remote-server-service-abuse.txt  []  Remote Server Service Abuse
  T1569.002_remote-server-service-abuse-for-lateral-movement.txt  [T1569.002]  Remote Server Service Abuse for Lateral Movement
  T1555.005_remote-thread-created-in-keepass-exe.txt  [T1555.005]  Remote Thread Created In KeePass.EXE
  remote-thread-creation-in-mstsc-exe-from-suspicious-location.txt  []  Remote Thread Creation In Mstsc.Exe From Suspicious Location
  T1127_remote-thread-creation-ttdinject-exe-proxy.txt  [T1127]  Remote Thread Creation Ttdinject.exe Proxy
  T1220_remote-xsl-execution-via-msxsl-exe.txt  [T1220]  Remote XSL Execution Via Msxsl.EXE
  T1218_remotefxvgpudisablement-abuse-via-atomictestharnesses.txt  [T1218]  RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
  T1218.005_remotely-hosted-hta-file-executed-via-mshta-exe.txt  [T1218.005]  Remotely Hosted HTA File Executed Via Mshta.EXE
  T1685_removal-of-amsi-provider-registry-keys.txt  [T1685]  Removal Of AMSI Provider Registry Keys
  T1070_remove-exported-mailbox-from-exchange-webserver.txt  [T1070]  Remove Exported Mailbox from Exchange Webserver
  T1018_renamed-adfind-execution.txt  [T1018,T1069.002,T1087.002,T1482]  Renamed AdFind Execution
  T1027_renamed-autoit-execution.txt  [T1027]  Renamed AutoIt Execution
  T1036.003_renamed-browsercore-exe-execution.txt  [T1036.003,T1528]  Renamed BrowserCore.EXE Execution
  T1090.001_renamed-cloudflared-exe-execution.txt  [T1090.001]  Renamed Cloudflared.EXE Execution
  T1003.001_renamed-createdump-utility-execution.txt  [T1003.001,T1036]  Renamed CreateDump Utility Execution
  T1486_renamed-gpg-exe-execution.txt  [T1486]  Renamed Gpg.EXE Execution
  T1036.003_renamed-jusched-exe-execution.txt  [T1036.003]  Renamed Jusched.EXE Execution
  T1055.001_renamed-mavinject-exe-execution.txt  [T1055.001,T1218.013]  Renamed Mavinject.EXE Execution
  T1218_renamed-megasync-execution.txt  [T1218]  Renamed MegaSync Execution
  T1036.003_renamed-msdt-exe-execution.txt  [T1036.003]  Renamed Msdt.EXE Execution
  renamed-netsupport-rat-execution.txt  []  Renamed NetSupport RAT Execution
  T1059_renamed-nircmd-exe-execution.txt  [T1059,T1202]  Renamed NirCmd.EXE Execution
  T1036.003_renamed-office-binary-execution.txt  [T1036.003]  Renamed Office Binary Execution
  T1202_renamed-paexec-execution.txt  [T1202]  Renamed PAExec Execution
  T1059_renamed-pingcastle-binary-execution.txt  [T1059,T1202]  Renamed PingCastle Binary Execution
  T1036_renamed-plink-execution.txt  [T1036]  Renamed Plink Execution
  T1036.003_renamed-procdump-execution.txt  [T1036.003]  Renamed ProcDump Execution
  renamed-psexec-service-execution.txt  []  Renamed PsExec Service Execution
  T1036.003_renamed-schtasks-execution.txt  [T1036.003,T1053.005]  Renamed Schtasks Execution
  T1588.002_renamed-sysinternals-debugview-execution.txt  [T1588.002]  Renamed SysInternals DebugView Execution
  T1485_renamed-sysinternals-sdelete-execution.txt  [T1485]  Renamed Sysinternals Sdelete Execution
  T1574.001_renamed-vmnat-exe-execution.txt  [T1574.001]  Renamed Vmnat.exe Execution
  renamed-vscode-code-tunnel-execution-file-indicator.txt  []  Renamed VsCode Code Tunnel Execution - File Indicator
  T1036_renamed-zoho-dctask64-execution.txt  [T1036,T1055.001,T1202,T1218]  Renamed ZOHO Dctask64 Execution
  T1558_replay-attack-detected.txt  [T1558]  Replay Attack Detected
  T1020_restore-public-aws-rds-instance.txt  [T1020]  Restore Public AWS RDS Instance
  T1072_restricted-software-access-by-srp.txt  [T1072]  Restricted Software Access By SRP
  T1112_restrictedadminmode-registry-value-tampering.txt  [T1112]  RestrictedAdminMode Registry Value Tampering
  T1112_restrictedadminmode-registry-value-tampering-proccreation.txt  [T1112]  RestrictedAdminMode Registry Value Tampering - ProcCreation
  T1078_roles-activated-too-frequently.txt  [T1078]  Roles Activated Too Frequently
  T1078_roles-activation-doesn-t-require-mfa.txt  [T1078]  Roles Activation Doesn't Require MFA
  T1078_roles-are-not-being-used.txt  [T1078]  Roles Are Not Being Used
  T1078_roles-assigned-outside-pim.txt  [T1078]  Roles Assigned Outside PIM
  T1553.004_root-certificate-installed-from-susp-locations.txt  [T1553.004]  Root Certificate Installed From Susp Locations
  T1557.001_rottenpotato-like-attack-pattern.txt  [T1557.001]  RottenPotato Like Attack Pattern
  T1564.004_run-powershell-script-from-ads.txt  [T1564.004]  Run PowerShell Script from ADS
  T1059_run-powershell-script-from-redirected-input-stream.txt  [T1059]  Run PowerShell Script from Redirected Input Stream
  T1218.011_rundll32-spawning-explorer.txt  [T1218.011]  RunDLL32 Spawning Explorer
  T1070.003_runmru-registry-key-deletion.txt  [T1070.003]  RunMRU Registry Key Deletion
  T1070.003_runmru-registry-key-deletion-registry.txt  [T1070.003]  RunMRU Registry Key Deletion - Registry
  T1202_rundll32-execution-without-commandline-parameters.txt  [T1202]  Rundll32 Execution Without CommandLine Parameters
  T1021.002_rundll32-execution-without-parameters.txt  [T1021.002,T1569.002,T1570]  Rundll32 Execution Without Parameters
  T1546.015_rundll32-registered-com-objects.txt  [T1546.015]  Rundll32 Registered COM Objects
  T1021.002_rundll32-unc-path-execution.txt  [T1021.002,T1218.011]  Rundll32 UNC Path Execution
  T1133_running-chrome-vpn-extensions-via-the-registry-2-vpn-extensi.txt  [T1133]  Running Chrome VPN Extensions via the Registry 2 VPN Extension
  T1012_sam-registry-hive-handle-request.txt  [T1012,T1552.002]  SAM Registry Hive Handle Request
  T1606_saml-token-issuer-anomaly.txt  [T1606]  SAML Token Issuer Anomaly
  T1021.002_smb-create-remote-file-admin-share.txt  [T1021.002]  SMB Create Remote File Admin Share
  snake-malware-covert-store-registry-key.txt  []  SNAKE Malware Covert Store Registry Key
  snake-malware-werfault-persistence-file-creation.txt  []  SNAKE Malware WerFault Persistence File Creation
  T1546_sourgum-actor-behaviours.txt  [T1546,T1546.015]  SOURGUM Actor Behaviours
  T1190_sql-injection-strings-in-uri.txt  [T1190]  SQL Injection Strings In URI
  T1005_sqlite-chromium-profile-data-db-access.txt  [T1005,T1539,T1555.003]  SQLite Chromium Profile Data DB Access
  T1005_sqlite-firefox-profile-data-db-access.txt  [T1005,T1539]  SQLite Firefox Profile Data DB Access
  T1685_safeboot-registry-key-deleted-via-reg-exe.txt  [T1685]  SafeBoot Registry Key Deleted Via Reg.EXE
  T1210_scanner-poc-for-cve-2019-0708-rdp-rce-vuln.txt  [T1210]  Scanner PoC for CVE-2019-0708 RDP RCE Vuln
  T1036.004_scheduled-task-creation-masquerading-as-system-processes.txt  [T1036.004,T1036.005,T1053.005]  Scheduled Task Creation Masquerading as System Processes
  T1053.005_scheduled-task-executing-encoded-payload-from-registry.txt  [T1053.005,T1059.001]  Scheduled Task Executing Encoded Payload from Registry
  scheduled-tasks-names-used-by-svr-for-graphicalproton-backdo.txt  []  Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
  scheduled-tasks-names-used-by-svr-for-graphicalproton-backdo_2.txt  []  Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
  T1053.005_schtasks-creation-or-modification-with-system-privileges.txt  [T1053.005]  Schtasks Creation Or Modification With SYSTEM Privileges
  T1053.005_schtasks-from-suspicious-folders.txt  [T1053.005]  Schtasks From Suspicious Folders
  screenconnect-slashandgrab-exploitation-indicators.txt  []  ScreenConnect - SlashAndGrab Exploitation Indicators
  T1047_script-event-consumer-spawning-process.txt  [T1047]  Script Event Consumer Spawning Process
  T1059_script-interpreter-execution-from-suspicious-folder.txt  [T1059]  Script Interpreter Execution From Suspicious Folder
  T1005_script-interpreter-spawning-credential-scanner-linux.txt  [T1005,T1059.004,T1552]  Script Interpreter Spawning Credential Scanner - Linux
  T1005_script-interpreter-spawning-credential-scanner-windows.txt  [T1005,T1059.007,T1552]  Script Interpreter Spawning Credential Scanner - Windows
  T1036_sdiagnhost-calling-suspicious-child-process.txt  [T1036,T1218]  Sdiagnhost Calling Suspicious Child Process
  T1112_security-event-logging-disabled-via-minint-registry-key-proc.txt  [T1112,T1685.001]  Security Event Logging Disabled via MiniNt Registry Key - Process
  T1112_security-event-logging-disabled-via-minint-registry-key-regi.txt  [T1112,T1685.001]  Security Event Logging Disabled via MiniNt Registry Key - Registry Set
  T1685.005_security-eventlog-cleared.txt  [T1685.005]  Security Eventlog Cleared
  T1033_security-privileges-enumeration-via-whoami-exe.txt  [T1033]  Security Privileges Enumeration Via Whoami.EXE
  T1685_security-service-disabled-via-reg-exe.txt  [T1685]  Security Service Disabled Via Reg.EXE
  T1218_self-extracting-package-creation-via-iexpress-exe-from-poten.txt  [T1218]  Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
  T1490_sensitive-file-access-via-volume-shadow-copy-backup.txt  [T1490]  Sensitive File Access Via Volume Shadow Copy Backup
  T1003.002_sensitive-file-dump-via-print-exe.txt  [T1003.002,T1003.003,T1218]  Sensitive File Dump Via Print.EXE
  T1003.003_sensitive-file-dump-via-wbadmin-exe.txt  [T1003.003]  Sensitive File Dump Via Wbadmin.EXE
  T1003.003_sensitive-file-recovery-from-backup-via-wbadmin-exe.txt  [T1003.003]  Sensitive File Recovery From Backup Via Wbadmin.EXE
  T1053.005_serpent-backdoor-payload-execution-via-scheduled-task.txt  [T1053.005,T1059.006]  Serpent Backdoor Payload Execution Via Scheduled Task
  T1221_server-side-template-injection-strings.txt  [T1221]  Server Side Template Injection Strings
  T1112_service-binary-in-suspicious-folder.txt  [T1112]  Service Binary in Suspicious Folder
  T1574.011_service-dacl-abuse-to-hide-services-via-sc-exe.txt  [T1574.011]  Service DACL Abuse To Hide Services Via Sc.EXE
  T1543.003_service-installation-with-suspicious-folder-pattern.txt  [T1543.003]  Service Installation with Suspicious Folder Pattern
  T1543_service-installed-by-unusual-client-security.txt  [T1543]  Service Installed By Unusual Client - Security
  T1543_service-installed-by-unusual-client-system.txt  [T1543]  Service Installed By Unusual Client - System
  T1685_service-registry-key-deleted-via-reg-exe.txt  [T1685]  Service Registry Key Deleted Via Reg.EXE
  T1564.001_set-suspicious-files-as-system-files-using-attrib-exe.txt  [T1564.001]  Set Suspicious Files as System Files Using Attrib.EXE
  T1070_shadow-copies-deletion-using-operating-systems-utilities.txt  [T1070,T1490]  Shadow Copies Deletion Using Operating Systems Utilities
  T1195.002_shai-hulud-2-0-malicious-npm-package-installation.txt  [T1195.002]  Shai-Hulud 2.0 Malicious NPM Package Installation
  T1195.002_shai-hulud-2-0-malicious-npm-package-installation-linux.txt  [T1195.002]  Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
  T1195.002_shai-hulud-malicious-bun-execution.txt  [T1195.002,T1203]  Shai-Hulud Malicious Bun Execution
  T1195.002_shai-hulud-malicious-bun-execution-linux.txt  [T1195.002,T1203]  Shai-Hulud Malicious Bun Execution - Linux
  T1119_shai-hulud-malicious-github-workflow-creation.txt  [T1119,T1552.001]  Shai-Hulud Malicious GitHub Workflow Creation
  T1059_shai-hulud-malware-indicators-linux.txt  [T1059]  Shai-Hulud Malware Indicators - Linux
  T1059_shai-hulud-malware-indicators-windows.txt  [T1059]  Shai-Hulud Malware Indicators - Windows
  T1005_shai-hulud-npm-package-malicious-exfiltration-via-curl.txt  [T1005,T1041]  Shai-Hulud NPM Package Malicious Exfiltration via Curl
  T1087_sharphound-recon-account-discovery.txt  [T1087]  SharpHound Recon Account Discovery
  T1033_sharphound-recon-sessions.txt  [T1033]  SharpHound Recon Sessions
  T1083_shell-execution-gcc-linux.txt  [T1083]  Shell Execution GCC  - Linux
  shell-execution-of-process-located-in-tmp-directory.txt  []  Shell Execution Of Process Located In Tmp Directory
  T1083_shell-execution-via-find-linux.txt  [T1083]  Shell Execution via Find - Linux
  T1083_shell-execution-via-flock-linux.txt  [T1083]  Shell Execution via Flock - Linux
  T1059_shell-execution-via-git-linux.txt  [T1059]  Shell Execution via Git - Linux
  T1083_shell-execution-via-nice-linux.txt  [T1083]  Shell Execution via Nice - Linux
  T1059_shell-execution-via-rsync-linux.txt  [T1059]  Shell Execution via Rsync - Linux
  T1059_shell-invocation-via-ssh-linux.txt  [T1059]  Shell Invocation Via Ssh - Linux
  T1059.004_shell-invocation-via-env-command-linux.txt  [T1059.004]  Shell Invocation via Env Command - Linux
  T1546.001_shell-open-registry-keys-manipulation.txt  [T1546.001,T1548.002]  Shell Open Registry Keys Manipulation
  T1218.011_shell32-dll-execution-in-suspicious-directory.txt  [T1218.011]  Shell32 DLL Execution in Suspicious Directory
  T1505.003_shellshock-expression.txt  [T1505.003]  Shellshock Expression
  T1112_shimcache-flush.txt  [T1112]  ShimCache Flush
  T1090_sign-in-from-malware-infected-ip.txt  [T1090]  Sign-In From Malware Infected IP
  T1078.004_sign-in-failure-due-to-conditional-access-requirements-not-m.txt  [T1078.004,T1110]  Sign-in Failure Due to Conditional Access Requirements Not Met
  T1078.004_sign-ins-from-non-compliant-devices.txt  [T1078.004]  Sign-ins from Non-Compliant Devices
  T1127.001_silenttrinity-stager-msbuild-activity.txt  [T1127.001]  Silenttrinity Stager Msbuild Activity
  T1190_sitecore-pre-auth-rce-cve-2021-42237.txt  [T1190]  Sitecore Pre-Auth RCE CVE-2021-42237
  T1543.003_sliver-c2-default-service-installation.txt  [T1543.003,T1569.002]  Sliver C2 Default Service Installation
  T1574.001_small-sieve-malware-commandline-indicator.txt  [T1574.001]  Small Sieve Malware CommandLine Indicator
  T1036.005_small-sieve-malware-file-indicator-creation.txt  [T1036.005]  Small Sieve Malware File Indicator Creation
  small-sieve-malware-registry-persistence.txt  []  Small Sieve Malware Registry Persistence
  T1059.003_sofacy-trojan-loader-activity.txt  [T1059.003,T1218.011]  Sofacy Trojan Loader Activity
  T1190_sonicwall-ssl-vpn-jarrewrite-exploitation.txt  [T1190]  SonicWall SSL/VPN Jarrewrite Exploitation
  T1078_stale-accounts-in-a-privileged-role.txt  [T1078]  Stale Accounts In A Privileged Role
  T1543.003_stonedrill-service-install.txt  [T1543.003]  StoneDrill Service Install
  T1550.002_successful-overpass-the-hash-attempt.txt  [T1550.002]  Successful Overpass the Hash Attempt
  T1068_sudo-privilege-escalation-cve-2019-14287.txt  [T1068,T1548.003]  Sudo Privilege Escalation CVE-2019-14287
  T1505.003_suspicious-aspx-file-drop-by-exchange.txt  [T1505.003]  Suspicious ASPX File Drop by Exchange
  T1069.002_suspicious-active-directory-database-snapshot-via-adexplorer.txt  [T1069.002,T1087.002,T1482]  Suspicious Active Directory Database Snapshot Via ADExplorer
  T1059.004_suspicious-activity-in-shell-commands.txt  [T1059.004]  Suspicious Activity in Shell Commands
  T1218_suspicious-addinutil-exe-commandline-execution.txt  [T1218]  Suspicious AddinUtil.EXE CommandLine Execution
  suspicious-advpack-call-via-rundll32-exe.txt  []  Suspicious Advpack Call Via Rundll32.EXE
  T1218_suspicious-agentexecutor-powershell-execution.txt  [T1218]  Suspicious AgentExecutor PowerShell Execution
  T1685_suspicious-application-allowed-through-exploit-guard.txt  [T1685]  Suspicious Application Allowed Through Exploit Guard
  T1059_suspicious-arcsoc-exe-child-process.txt  [T1059,T1203]  Suspicious ArcSOC.exe Child Process
  T1047_suspicious-autorun-registry-modified-via-wmi.txt  [T1047,T1547.001]  Suspicious Autorun Registry Modified via WMI
  T1204_suspicious-binaries-and-scripts-in-public-folder.txt  [T1204]  Suspicious Binaries and Scripts in Public Folder
  T1204.002_suspicious-binary-in-user-directory-spawned-from-office-appl.txt  [T1204.002]  Suspicious Binary In User Directory Spawned From Office Application
  T1219.002_suspicious-binary-writes-via-anydesk.txt  [T1219.002]  Suspicious Binary Writes Via AnyDesk
  T1021.003_suspicious-bitlocker-access-agent-update-utility-execution.txt  [T1021.003,T1218]  Suspicious BitLocker Access Agent Update Utility Execution
  T1078_suspicious-browser-activity.txt  [T1078]  Suspicious Browser Activity
  T1036_suspicious-calculator-usage.txt  [T1036]  Suspicious Calculator Usage
  T1123_suspicious-camera-and-microphone-access.txt  [T1123,T1125]  Suspicious Camera and Microphone Access
  T1105_suspicious-certreq-command-to-download.txt  [T1105]  Suspicious CertReq Command to Download
  T1134.002_suspicious-child-process-created-as-system.txt  [T1134.002]  Suspicious Child Process Created as System
  T1059.005_suspicious-child-process-of-bginfo-exe.txt  [T1059.005,T1202,T1218]  Suspicious Child Process Of BgInfo.EXE
  T1102_suspicious-child-process-of-manage-engine-servicedesk.txt  [T1102]  Suspicious Child Process Of Manage Engine ServiceDesk
  T1190_suspicious-child-process-of-sql-server.txt  [T1190,T1505.003]  Suspicious Child Process Of SQL Server
  T1036_suspicious-child-process-of-wermgr-exe.txt  [T1036,T1055]  Suspicious Child Process Of Wermgr.EXE
  T1127_suspicious-child-process-of-aspnetcompiler.txt  [T1127]  Suspicious Child Process of AspNetCompiler
  T1195.002_suspicious-child-process-of-notepad-updater-gup-exe.txt  [T1195.002,T1557]  Suspicious Child Process of Notepad++ Updater - GUP.Exe
  T1190_suspicious-child-process-of-solarwinds-webhelpdesk.txt  [T1190]  Suspicious Child Process of SolarWinds WebHelpDesk
  T1176.001_suspicious-chromium-browser-instance-executed-with-custom-ex.txt  [T1176.001]  Suspicious Chromium Browser Instance Executed With Custom Extension
  T1204.001_suspicious-clickfix-filefix-execution-pattern.txt  [T1204.001,T1204.004]  Suspicious ClickFix/FileFix Execution Pattern
  T1053.005_suspicious-command-patterns-in-scheduled-task-creation.txt  [T1053.005]  Suspicious Command Patterns In Scheduled Task Creation
  T1036_suspicious-computer-account-name-change-cve-2021-42287.txt  [T1036,T1098]  Suspicious Computer Account Name Change CVE-2021-42287
  T1218.011_suspicious-control-panel-dll-load.txt  [T1218.011]  Suspicious Control Panel DLL Load
  T1564_suspicious-creation-with-colorcpl.txt  [T1564]  Suspicious Creation with Colorcpl
  T1105_suspicious-curl-exe-download.txt  [T1105]  Suspicious Curl.EXE Download
  T1216_suspicious-customshellhost-execution.txt  [T1216]  Suspicious CustomShellHost Execution
  T1218_suspicious-dll-loaded-via-certoc-exe.txt  [T1218]  Suspicious DLL Loaded via CertOC.EXE
  T1187_suspicious-dns-query-indicating-kerberos-coercion-via-dns-ob.txt  [T1187,T1557.001]  Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
  T1187_suspicious-dns-query-indicating-kerberos-coercion-via-dns-ob_2.txt  [T1187,T1557.001]  Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
  T1546.008_suspicious-debugger-registration-cmdline.txt  [T1546.008]  Suspicious Debugger Registration Cmdline
  T1105_suspicious-desktopimgdownldr-command.txt  [T1105]  Suspicious Desktopimgdownldr Command
  T1105_suspicious-desktopimgdownldr-target-file.txt  [T1105]  Suspicious Desktopimgdownldr Target File
  T1218_suspicious-dotnet-clr-usage-log-artifact.txt  [T1218]  Suspicious DotNET CLR Usage Log Artifact
  T1566.001_suspicious-double-extension-file-execution.txt  [T1566.001]  Suspicious Double Extension File Execution
  T1036.007_suspicious-double-extension-files.txt  [T1036.007]  Suspicious Double Extension Files
  T1036.003_suspicious-download-from-direct-ip-via-bitsadmin.txt  [T1036.003,T1197]  Suspicious Download From Direct IP Via Bitsadmin
  T1036.003_suspicious-download-from-file-sharing-website-via-bitsadmin.txt  [T1036.003,T1105,T1197]  Suspicious Download From File-Sharing Website Via Bitsadmin
  T1059.004_suspicious-download-and-execute-pattern-via-curl-wget.txt  [T1059.004,T1203]  Suspicious Download and Execute Pattern via Curl/Wget
  T1105_suspicious-download-from-office-domain.txt  [T1105,T1608]  Suspicious Download from Office Domain
  T1218.008_suspicious-driver-dll-installation-via-odbcconf-exe.txt  [T1218.008]  Suspicious Driver/DLL Installation Via Odbcconf.EXE
  T1105_suspicious-dropbox-api-usage.txt  [T1105,T1567.002]  Suspicious Dropbox API Usage
  T1003.001_suspicious-dumpminitool-execution.txt  [T1003.001,T1036]  Suspicious DumpMinitool Execution
  T1027_suspicious-encoded-and-obfuscated-reflection-assembly-load-f.txt  [T1027,T1059.001]  Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
  T1059.001_suspicious-encoded-powershell-command-line.txt  [T1059.001]  Suspicious Encoded PowerShell Command Line
  T1047_suspicious-encoded-scripts-in-a-wmi-consumer.txt  [T1047,T1546.003]  Suspicious Encoded Scripts in a WMI Consumer
  suspicious-environment-variable-has-been-registered.txt  []  Suspicious Environment Variable Has Been Registered
  T1685.001_suspicious-eventlog-clearing-or-configuration-change-activit.txt  [T1685.001,T1685.005]  Suspicious Eventlog Clearing or Configuration Change Activity
  T1564_suspicious-executable-file-creation.txt  [T1564]  Suspicious Executable File Creation
  T1566.001_suspicious-execution-from-outlook-temporary-folder.txt  [T1566.001]  Suspicious Execution From Outlook Temporary Folder
  suspicious-execution-location-of-wermgr-exe.txt  []  Suspicious Execution Location Of Wermgr.EXE
  T1588.002_suspicious-execution-of-renamed-sysinternals-tools-registry.txt  [T1588.002]  Suspicious Execution Of Renamed Sysinternals Tools - Registry
  T1027.010_suspicious-explorer-process-with-whitespace-padding-clickfix.txt  [T1027.010,T1204.004]  Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
  T1566_suspicious-external-webdav-execution.txt  [T1566,T1584]  Suspicious External WebDAV Execution
  suspicious-file-created-via-onenote-application.txt  []  Suspicious File Created Via OneNote Application
  T1105_suspicious-file-created-by-arcsoc-exe.txt  [T1105,T1127,T1133]  Suspicious File Created by ArcSOC.exe
  T1566.001_suspicious-file-created-in-outlook-temporary-directory.txt  [T1566.001]  Suspicious File Created in Outlook Temporary Directory
  suspicious-file-creation-activity-from-fake-recycle-bin-fold.txt  []  Suspicious File Creation Activity From Fake Recycle.Bin Folder
  suspicious-file-creation-in-uncommon-appdata-folder.txt  []  Suspicious File Creation In Uncommon AppData Folder
  suspicious-file-download-from-file-sharing-domain-via-curl-e.txt  []  Suspicious File Download From File Sharing Domain Via Curl.EXE
  suspicious-file-download-from-file-sharing-domain-via-wget-e.txt  []  Suspicious File Download From File Sharing Domain Via Wget.EXE
  T1564.004_suspicious-file-download-from-file-sharing-websites-file-str.txt  [T1564.004]  Suspicious File Download From File Sharing Websites -  File Stream
  suspicious-file-download-from-ip-via-curl-exe.txt  []  Suspicious File Download From IP Via Curl.EXE
  suspicious-file-download-from-ip-via-wget-exe.txt  []  Suspicious File Download From IP Via Wget.EXE
  suspicious-file-download-from-ip-via-wget-exe-paths.txt  []  Suspicious File Download From IP Via Wget.EXE - Paths
  T1027_suspicious-file-downloaded-from-direct-ip-via-certutil-exe.txt  [T1027,T1105]  Suspicious File Downloaded From Direct IP Via Certutil.EXE
  T1027_suspicious-file-downloaded-from-file-sharing-website-via-cer.txt  [T1027,T1105]  Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
  T1027_suspicious-file-encoded-to-base64-via-certutil-exe.txt  [T1027]  Suspicious File Encoded To Base64 Via Certutil.EXE
  T1059.001_suspicious-file-execution-from-internet-hosted-webdav-share.txt  [T1059.001]  Suspicious File Execution From Internet Hosted WebDav Share
  T1190_suspicious-file-write-to-sharepoint-layouts-directory.txt  [T1190,T1505.003]  Suspicious File Write to SharePoint Layouts Directory
  T1204.004_suspicious-filefix-execution-pattern.txt  [T1204.004]  Suspicious FileFix Execution Pattern
  T1027_suspicious-filename-with-embedded-base64-commands.txt  [T1027,T1059.004]  Suspicious Filename with Embedded Base64 Commands
  T1574.001_suspicious-gup-usage.txt  [T1574.001]  Suspicious GUP Usage
  T1003.003_suspicious-get-addbaccount-usage.txt  [T1003.003]  Suspicious Get-ADDBAccount Usage
  T1027_suspicious-get-variable-exe-creation.txt  [T1027,T1546]  Suspicious Get-Variable.exe Creation
  T1059_suspicious-greedy-compression-using-rar-exe.txt  [T1059]  Suspicious Greedy Compression Using Rar.EXE
  T1547_suspicious-grpconv-execution.txt  [T1547]  Suspicious GrpConv Execution
  T1047_suspicious-hh-exe-execution.txt  [T1047,T1059.001,T1059.003,T1059.005,T1059.007,T1218,T1218.001,T1218.010,T1218.011,T1566,T1566.001]  Suspicious HH.EXE Execution
  T1059.003_suspicious-hwp-sub-processes.txt  [T1059.003,T1203,T1566.001]  Suspicious HWP Sub Processes
  T1505.004_suspicious-iis-module-registration.txt  [T1505.004]  Suspicious IIS Module Registration
  T1114.003_suspicious-inbox-forwarding-identity-protection.txt  [T1114.003]  Suspicious Inbox Forwarding Identity Protection
  T1140_suspicious-inbox-manipulation-rules.txt  [T1140]  Suspicious Inbox Manipulation Rules
  T1059.001_suspicious-interactive-powershell-as-system.txt  [T1059.001]  Suspicious Interactive PowerShell as SYSTEM
  T1059_suspicious-invocation-of-shell-via-awk-linux.txt  [T1059]  Suspicious Invocation of Shell via AWK - Linux
  T1059_suspicious-invocation-of-shell-via-rsync.txt  [T1059,T1203]  Suspicious Invocation of Shell via Rsync
  T1105_suspicious-invoke-webrequest-execution.txt  [T1105]  Suspicious Invoke-WebRequest Execution
  T1059_suspicious-java-children-processes.txt  [T1059]  Suspicious Java Children Processes
  T1218.005_suspicious-javascript-execution-via-mshta-exe.txt  [T1218.005]  Suspicious JavaScript Execution Via Mshta.EXE
  T1558.003_suspicious-kerberos-ticket-request-via-cli.txt  [T1558.003]  Suspicious Kerberos Ticket Request via CLI
  T1558.003_suspicious-kerberos-ticket-request-via-powershell-script-scr.txt  [T1558.003]  Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
  T1082_suspicious-kernel-dump-using-dtrace.txt  [T1082]  Suspicious Kernel Dump Using Dtrace
  T1555.004_suspicious-key-manager-access.txt  [T1555.004]  Suspicious Key Manager Access
  T1001.003_suspicious-ldap-attributes-used.txt  [T1001.003]  Suspicious LDAP-Attributes Used
  T1204.002_suspicious-lnk-command-line-padding-with-whitespace-characte.txt  [T1204.002]  Suspicious LNK Command-Line Padding with Whitespace Characters
  T1003.001_suspicious-lsass-access-via-malseclogon.txt  [T1003.001]  Suspicious LSASS Access Via MalSecLogon
  T1003_suspicious-loading-of-dbgcore-dbghelp-dlls-from-uncommon-loc.txt  [T1003,T1685]  Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
  T1036_suspicious-msdt-parent-process.txt  [T1036,T1218]  Suspicious MSDT Parent Process
  T1190_suspicious-msexchangemailboxreplication-aspx-write.txt  [T1190,T1505.003]  Suspicious MSExchangeMailboxReplication ASPX Write
  T1218.005_suspicious-mshta-child-process.txt  [T1218.005]  Suspicious MSHTA Child Process
  T1560.001_suspicious-manipulation-of-default-accounts-via-net-exe.txt  [T1560.001]  Suspicious Manipulation Of Default Accounts Via Net.EXE
  T1047_suspicious-microsoft-office-child-process.txt  [T1047,T1204.002,T1218.010]  Suspicious Microsoft Office Child Process
  T1059.002_suspicious-microsoft-office-child-process-macos.txt  [T1059.002,T1137.002,T1204.002]  Suspicious Microsoft Office Child Process - MacOS
  T1566_suspicious-microsoft-onenote-child-process.txt  [T1566,T1566.001]  Suspicious Microsoft OneNote Child Process
  T1053.005_suspicious-modification-of-scheduled-tasks.txt  [T1053.005]  Suspicious Modification Of Scheduled Tasks
  T1106_suspicious-mshta-exe-execution-patterns.txt  [T1106]  Suspicious Mshta.EXE Execution Patterns
  T1219.002_suspicious-mstsc-exe-execution-with-local-rdp-file.txt  [T1219.002]  Suspicious Mstsc.EXE Execution With Local RDP File
  T1212_suspicious-ntlm-authentication-on-the-printer-spooler-servic.txt  [T1212]  Suspicious NTLM Authentication on the Printer Spooler Service
  T1190_suspicious-named-error.txt  [T1190]  Suspicious Named Error
  T1543.003_suspicious-new-service-creation.txt  [T1543.003]  Suspicious New Service Creation
  suspicious-nohup-execution.txt  []  Suspicious Nohup Execution
  suspicious-obfuscated-powershell-code.txt  []  Suspicious Obfuscated PowerShell Code
  T1204.002_suspicious-outlook-child-process.txt  [T1204.002]  Suspicious Outlook Child Process
  T1008_suspicious-outlook-macro-created.txt  [T1008,T1137,T1546]  Suspicious Outlook Macro Created
  T1036.007_suspicious-parent-double-extension-file-execution.txt  [T1036.007]  Suspicious Parent Double Extension File Execution
  T1685_suspicious-path-in-keyboard-layout-ime-file-registry-value.txt  [T1685]  Suspicious Path In Keyboard Layout IME File Registry Value
  T1059_suspicious-persistence-via-vmwaretoolboxcmd-exe-vm-state-cha.txt  [T1059]  Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
  T1070.004_suspicious-ping-del-command-combination.txt  [T1070.004]  Suspicious Ping/Del Command Combination
  T1021.001_suspicious-plink-port-forwarding.txt  [T1021.001,T1572]  Suspicious Plink Port Forwarding
  T1059.001_suspicious-powershell-download-and-execute-pattern.txt  [T1059.001]  Suspicious PowerShell Download and Execute Pattern
  T1059.001_suspicious-powershell-encoded-command-patterns.txt  [T1059.001]  Suspicious PowerShell Encoded Command Patterns
  T1059.001_suspicious-powershell-iex-execution-patterns.txt  [T1059.001]  Suspicious PowerShell IEX Execution Patterns
  T1059.001_suspicious-powershell-invocations-generic.txt  [T1059.001]  Suspicious PowerShell Invocations - Generic
  T1059.001_suspicious-powershell-invocations-generic-powershell-module.txt  [T1059.001]  Suspicious PowerShell Invocations - Generic - PowerShell Module
  T1059.001_suspicious-powershell-invocations-specific.txt  [T1059.001]  Suspicious PowerShell Invocations - Specific
  T1059.001_suspicious-powershell-invocations-specific-powershell-module.txt  [T1059.001]  Suspicious PowerShell Invocations - Specific - PowerShell Module
  T1059.001_suspicious-powershell-parameter-substring.txt  [T1059.001]  Suspicious PowerShell Parameter Substring
  T1059.001_suspicious-powershell-parent-process.txt  [T1059.001]  Suspicious PowerShell Parent Process
  T1574_suspicious-printer-driver-empty-manufacturer.txt  [T1574]  Suspicious Printer Driver Empty Manufacturer
  T1059.001_suspicious-printerports-creation-cve-2020-1048.txt  [T1059.001]  Suspicious PrinterPorts Creation (CVE-2020-1048)
  T1685_suspicious-process-access-of-msmpeng-by-werfaultsecure-edr-f.txt  [T1685]  Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
  T1003.001_suspicious-process-access-to-lsass-with-dbgcore-dbghelp-dlls.txt  [T1003.001,T1685]  Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
  T1190_suspicious-process-by-web-server-process.txt  [T1190,T1505.003]  Suspicious Process By Web Server Process
  T1047_suspicious-process-created-via-wmic-exe.txt  [T1047]  Suspicious Process Created Via Wmic.EXE
  suspicious-process-execution-from-fake-recycle-bin-folder.txt  []  Suspicious Process Execution From Fake Recycle.Bin Folder
  T1036.005_suspicious-process-masquerading-as-svchost-exe.txt  [T1036.005]  Suspicious Process Masquerading As SvcHost.EXE
  T1003.003_suspicious-process-patterns-ntds-dit-exfil.txt  [T1003.003]  Suspicious Process Patterns NTDS.DIT Exfil
  T1059.003_suspicious-process-spawned-by-centrestack-portal-apppool.txt  [T1059.003,T1505.003]  Suspicious Process Spawned by CentreStack Portal AppPool
  suspicious-processes-spawned-by-java-exe.txt  []  Suspicious Processes Spawned by Java.EXE
  T1190_suspicious-processes-spawned-by-winrm.txt  [T1190]  Suspicious Processes Spawned by WinRM
  T1686.003_suspicious-program-location-whitelisted-in-firewall-via-nets.txt  [T1686.003]  Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
  T1059_suspicious-program-names.txt  [T1059]  Suspicious Program Names
  T1218_suspicious-provlaunch-exe-child-process.txt  [T1218]  Suspicious Provlaunch.EXE Child Process
  T1021.002_suspicious-psexec-execution.txt  [T1021.002]  Suspicious PsExec Execution
  T1021.002_suspicious-psexec-execution-zeek.txt  [T1021.002]  Suspicious PsExec Execution - Zeek
  T1021.001_suspicious-rdp-redirect-using-tscon.txt  [T1021.001,T1563.002]  Suspicious RDP Redirect Using TSCON
  T1553_suspicious-razerinstaller-explorer-subprocess.txt  [T1553]  Suspicious RazerInstaller Explorer Subprocess
  T1059.005_suspicious-reconnaissance-activity-via-gathernetworkinfo-vbs.txt  [T1059.005,T1615]  Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
  T1048_suspicious-redirection-to-local-admin-share.txt  [T1048]  Suspicious Redirection to Local Admin Share
  T1486_suspicious-reg-add-bitlocker.txt  [T1486]  Suspicious Reg Add BitLocker
  T1112_suspicious-registry-modification-from-ads-via-regini-exe.txt  [T1112]  Suspicious Registry Modification From ADS Via Regini.EXE
  T1218.010_suspicious-regsvr32-execution-from-remote-share.txt  [T1218.010]  Suspicious Regsvr32 Execution From Remote Share
  T1059_suspicious-remote-child-process-from-outlook.txt  [T1059,T1202]  Suspicious Remote Child Process From Outlook
  T1003.001_suspicious-renamed-comsvcs-dll-loaded-by-rundll32.txt  [T1003.001]  Suspicious Renamed Comsvcs DLL Loaded By Rundll32
  T1218.008_suspicious-response-file-execution-via-odbcconf-exe.txt  [T1218.008]  Suspicious Response File Execution Via Odbcconf.EXE
  T1059.004_suspicious-reverse-shell-command-line.txt  [T1059.004]  Suspicious Reverse Shell Command Line
  T1547.001_suspicious-run-key-from-download.txt  [T1547.001]  Suspicious Run Key from Download
  T1218.011_suspicious-rundll32-activity-invoking-sys-file.txt  [T1218.011]  Suspicious Rundll32 Activity Invoking Sys File
  T1218.011_suspicious-rundll32-execution-with-image-extension.txt  [T1218.011]  Suspicious Rundll32 Execution With Image Extension
  T1055_suspicious-rundll32-invoking-inline-vbscript.txt  [T1055]  Suspicious Rundll32 Invoking Inline VBScript
  T1190_suspicious-sql-error-messages.txt  [T1190]  Suspicious SQL Error Messages
  T1003_suspicious-system-user-process-creation.txt  [T1003,T1027,T1134]  Suspicious SYSTEM User Process Creation
  T1053.005_suspicious-scheduled-task-creation.txt  [T1053.005]  Suspicious Scheduled Task Creation
  T1053.005_suspicious-scheduled-task-creation-involving-temp-folder.txt  [T1053.005]  Suspicious Scheduled Task Creation Involving Temp Folder
  T1053.005_suspicious-scheduled-task-update.txt  [T1053.005]  Suspicious Scheduled Task Update
  T1053_suspicious-scheduled-task-write-to-system32-tasks.txt  [T1053]  Suspicious Scheduled Task Write to System32 Tasks
  T1053.005_suspicious-schtasks-execution-appdata-folder.txt  [T1053.005,T1059.001]  Suspicious Schtasks Execution AppData Folder
  T1053.005_suspicious-schtasks-schedule-types.txt  [T1053.005]  Suspicious Schtasks Schedule Types
  T1059.005_suspicious-scripting-in-a-wmi-consumer.txt  [T1059.005]  Suspicious Scripting in a WMI Consumer
  T1555_suspicious-serv-u-process-pattern.txt  [T1555]  Suspicious Serv-U Process Pattern
  T1202_suspicious-service-binary-directory.txt  [T1202]  Suspicious Service Binary Directory
  T1543.003_suspicious-service-dacl-modification-via-set-service-cmdlet.txt  [T1543.003]  Suspicious Service DACL Modification Via Set-Service Cmdlet
  T1574.011_suspicious-service-dacl-modification-via-set-service-cmdlet.txt  [T1574.011]  Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
  T1543.003_suspicious-service-installation.txt  [T1543.003]  Suspicious Service Installation
  T1543.003_suspicious-service-installation-script.txt  [T1543.003]  Suspicious Service Installation Script
  T1543.003_suspicious-service-path-modification.txt  [T1543.003]  Suspicious Service Path Modification
  T1218.011_suspicious-shellexec-rundll-call-via-ordinal.txt  [T1218.011]  Suspicious ShellExec_RunDLL Call Via Ordinal
  suspicious-shells-spawn-by-java-utility-keytool.txt  []  Suspicious Shells Spawn by Java Utility Keytool
  T1546.011_suspicious-shim-database-patching-activity.txt  [T1546.011]  Suspicious Shim Database Patching Activity
  T1027.010_suspicious-space-characters-in-runmru-registry-path-clickfix.txt  [T1027.010,T1204.004]  Suspicious Space Characters in RunMRU Registry Path - ClickFix
  T1027.010_suspicious-space-characters-in-typedpaths-registry-path-file.txt  [T1027.010,T1204.004]  Suspicious Space Characters in TypedPaths Registry Path - FileFix
  T1021.003_suspicious-speech-runtime-binary-child-process.txt  [T1021.003,T1218]  Suspicious Speech Runtime Binary Child Process
  T1202_suspicious-splwow64-without-params.txt  [T1202]  Suspicious Splwow64 Without Params
  T1068_suspicious-spool-service-child-process.txt  [T1068,T1203]  Suspicious Spool Service Child Process
  T1204.002_suspicious-startup-folder-persistence.txt  [T1204.002,T1547.001]  Suspicious Startup Folder Persistence
  T1685.001_suspicious-svchost-process-access.txt  [T1685.001]  Suspicious Svchost Process Access
  T1219.002_suspicious-tscon-start-as-system.txt  [T1219.002]  Suspicious TSCON Start as SYSTEM
  T1528_suspicious-teams-application-related-objectacess-event.txt  [T1528]  Suspicious Teams Application Related ObjectAcess Event
  T1021.005_suspicious-ultravnc-execution.txt  [T1021.005]  Suspicious UltraVNC Execution
  T1685_suspicious-uninstall-of-windows-defender-feature-via-powersh.txt  [T1685]  Suspicious Uninstall of Windows Defender Feature via PowerShell
  T1003.001_suspicious-unsigned-dbghelp-dbgcore-dll-loaded.txt  [T1003.001]  Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
  T1574.001_suspicious-unsigned-thor-scanner-execution.txt  [T1574.001]  Suspicious Unsigned Thor Scanner Execution
  suspicious-usage-of-shellexec-rundll.txt  []  Suspicious Usage Of ShellExec_RunDLL
  T1127_suspicious-use-of-csharp-interactive-console.txt  [T1127]  Suspicious Use of CSharp Interactive Console
  T1071.001_suspicious-user-agent.txt  [T1071.001]  Suspicious User Agent
  T1547.001_suspicious-vbscript-un2452-pattern.txt  [T1547.001]  Suspicious VBScript UN2452 Pattern
  T1219_suspicious-velociraptor-child-process.txt  [T1219]  Suspicious Velociraptor Child Process
  T1047_suspicious-wmic-execution-via-office-process.txt  [T1047,T1204.002,T1218.010]  Suspicious WMIC Execution Via Office Process
  T1048.003_suspicious-webdav-client-execution-via-rundll32-exe.txt  [T1048.003]  Suspicious WebDav Client Execution Via Rundll32.EXE
  T1136.001_suspicious-windows-anonymous-logon-local-account-created.txt  [T1136.001,T1136.002]  Suspicious Windows ANONYMOUS LOGON Local Account Created
  T1685_suspicious-windows-defender-registry-key-tampering-via-reg-e.txt  [T1685]  Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
  T1489_suspicious-windows-service-tampering.txt  [T1489,T1685]  Suspicious Windows Service Tampering
  T1505.003_suspicious-windows-strings-in-uri.txt  [T1505.003]  Suspicious Windows Strings In URI
  T1685_suspicious-windows-trace-etw-session-tamper-via-logman-exe.txt  [T1685,T1685.005]  Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
  T1036_suspicious-windows-update-agent-empty-cmdline.txt  [T1036]  Suspicious Windows Update Agent Empty Cmdline
  T1047_suspicious-wmiprvse-child-process.txt  [T1047,T1204.002,T1218.010]  Suspicious WmiPrvSE Child Process
  T1587_suspicious-word-cab-file-write-cve-2021-40444.txt  [T1587]  Suspicious Word Cab File Write CVE-2021-40444
  T1204.001_symlink-etc-passwd.txt  [T1204.001]  Symlink Etc Passwd
  T1012_syskey-registry-keys-access.txt  [T1012]  SysKey Registry Keys Access
  T1685_sysinternals-pssuspend-suspicious-execution.txt  [T1685]  Sysinternals PsSuspend Suspicious Execution
  T1685.006_syslog-clearing-or-removal-via-system-utilities.txt  [T1685.006]  Syslog Clearing or Removal Via System Utilities
  T1685_sysmon-application-crashed.txt  [T1685]  Sysmon Application Crashed
  sysmon-blocked-executable.txt  []  Sysmon Blocked Executable
  sysmon-blocked-file-shredding.txt  []  Sysmon Blocked File Shredding
  T1112_sysmon-channel-reference-deletion.txt  [T1112]  Sysmon Channel Reference Deletion
  T1564_sysmon-configuration-error.txt  [T1564]  Sysmon Configuration Error
  T1564_sysmon-configuration-modification.txt  [T1564]  Sysmon Configuration Modification
  T1518.001_sysmon-discovery-via-default-driver-altitude-using-findstr-e.txt  [T1518.001]  Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
  T1685_sysmon-driver-altitude-change.txt  [T1685]  Sysmon Driver Altitude Change
  T1070_sysmon-driver-unloaded-via-fltmc-exe.txt  [T1070,T1685,T1685.001]  Sysmon Driver Unloaded Via Fltmc.EXE
  T1574.001_system-control-panel-item-loaded-from-uncommon-location.txt  [T1574.001]  System Control Panel Item Loaded From Uncommon Location
  T1036_system-file-execution-location-anomaly.txt  [T1036]  System File Execution Location Anomaly
  T1490_system-restore-registry-modification-via-commandline.txt  [T1490]  System Restore Registry Modification via CommandLine
  T1021.002_t1047-wmiprvse-wbemcomn-dll-hijack.txt  [T1021.002,T1047]  T1047 Wmiprvse Wbemcomn DLL Hijack
  T1055.001_taidoor-rat-dll-load.txt  [T1055.001]  TAIDOOR RAT DLL Load
  T1685_tamper-windows-defender-psclassic.txt  [T1685]  Tamper Windows Defender - PSClassic
  T1685_tamper-windows-defender-scriptblocklogging.txt  [T1685]  Tamper Windows Defender - ScriptBlockLogging
  T1685_tamper-windows-defender-remove-mppreference.txt  [T1685]  Tamper Windows Defender Remove-MpPreference
  T1685_tamper-windows-defender-remove-mppreference-scriptblockloggi.txt  [T1685]  Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
  T1685_tamper-with-sophos-av-registry-keys.txt  [T1685]  Tamper With Sophos AV Registry Keys
  T1685_taskkill-symantec-endpoint-protection.txt  [T1685]  Taskkill Symantec Endpoint Protection
  T1036_taskmgr-as-local-system.txt  [T1036]  Taskmgr as LOCAL_SYSTEM
  T1574.001_tasks-folder-evasion.txt  [T1574.001]  Tasks Folder Evasion
  T1195.002_teampcp-litellm-supply-chain-attack-persistence-indicators.txt  [T1195.002,T1543.002]  TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
  T1078.004_temporary-access-pass-added-to-an-account.txt  [T1078.004]  Temporary Access Pass Added To An Account
  T1070_terminal-server-client-connection-history-cleared-registry.txt  [T1070,T1112]  Terminal Server Client Connection History Cleared - Registry
  T1190_terramaster-tos-cve-2020-28188.txt  [T1190]  TerraMaster TOS CVE-2020-28188
  T1003.001_time-travel-debugging-utility-usage.txt  [T1003.001,T1218]  Time Travel Debugging Utility Usage
  T1003.001_time-travel-debugging-utility-usage-image.txt  [T1003.001,T1218]  Time Travel Debugging Utility Usage - Image
  T1078_too-many-global-admins.txt  [T1078]  Too Many Global Admins
  T1090.003_tor-client-browser-execution.txt  [T1090.003]  Tor Client/Browser Execution
  T1559_trickbot-malware-activity.txt  [T1559]  Trickbot Malware Activity
  triple-cross-ebpf-rootkit-default-lockfile.txt  []  Triple Cross eBPF Rootkit Default LockFile
  T1053.003_triple-cross-ebpf-rootkit-default-persistence.txt  [T1053.003]  Triple Cross eBPF Rootkit Default Persistence
  triple-cross-ebpf-rootkit-execve-hijack.txt  []  Triple Cross eBPF Rootkit Execve Hijack
  T1014_triple-cross-ebpf-rootkit-install-commands.txt  [T1014]  Triple Cross eBPF Rootkit Install Commands
  T1059.001_tropictrooper-campaign-november-2018.txt  [T1059.001]  TropicTrooper Campaign November 2018
  T1112_trust-access-disable-for-vbapplications.txt  [T1112]  Trust Access Disable For VBApplications
  T1548.002_trusted-path-bypass-via-windows-directory-spoofing.txt  [T1548.002,T1574.007]  Trusted Path Bypass via Windows Directory Spoofing
  T1543.003_turla-service-install.txt  [T1543.003]  Turla Service Install
  T1548.002_uac-bypass-abusing-winsat-path-parsing-file.txt  [T1548.002]  UAC Bypass Abusing Winsat Path Parsing - File
  T1548.002_uac-bypass-abusing-winsat-path-parsing-process.txt  [T1548.002]  UAC Bypass Abusing Winsat Path Parsing - Process
  T1548.002_uac-bypass-abusing-winsat-path-parsing-registry.txt  [T1548.002]  UAC Bypass Abusing Winsat Path Parsing - Registry
  T1548.002_uac-bypass-tools-using-computerdefaults.txt  [T1548.002]  UAC Bypass Tools Using ComputerDefaults
  T1548.002_uac-bypass-using-net-code-profiler-on-mmc.txt  [T1548.002]  UAC Bypass Using .NET Code Profiler on MMC
  T1548.002_uac-bypass-using-changepk-and-slui.txt  [T1548.002]  UAC Bypass Using ChangePK and SLUI
  T1548.002_uac-bypass-using-consent-and-comctl32-file.txt  [T1548.002]  UAC Bypass Using Consent and Comctl32 - File
  T1548.002_uac-bypass-using-consent-and-comctl32-process.txt  [T1548.002]  UAC Bypass Using Consent and Comctl32 - Process
  T1548.002_uac-bypass-using-disk-cleanup.txt  [T1548.002]  UAC Bypass Using Disk Cleanup
  T1548.002_uac-bypass-using-dismhost.txt  [T1548.002]  UAC Bypass Using DismHost
  uac-bypass-using-event-viewer-recentviews.txt  []  UAC Bypass Using Event Viewer RecentViews
  uac-bypass-using-eventvwr.txt  []  UAC Bypass Using EventVwr
  T1548.002_uac-bypass-using-idiagnostic-profile.txt  [T1548.002]  UAC Bypass Using IDiagnostic Profile
  T1548.002_uac-bypass-using-idiagnostic-profile-file.txt  [T1548.002]  UAC Bypass Using IDiagnostic Profile - File
  T1548.002_uac-bypass-using-ieinstal-file.txt  [T1548.002]  UAC Bypass Using IEInstal - File
  T1548.002_uac-bypass-using-ieinstal-process.txt  [T1548.002]  UAC Bypass Using IEInstal - Process
  T1548.002_uac-bypass-using-iscsicpl-imageload.txt  [T1548.002]  UAC Bypass Using Iscsicpl - ImageLoad
  T1548.002_uac-bypass-using-msconfig-token-modification-file.txt  [T1548.002]  UAC Bypass Using MSConfig Token Modification - File
  T1548.002_uac-bypass-using-msconfig-token-modification-process.txt  [T1548.002]  UAC Bypass Using MSConfig Token Modification - Process
  T1548.002_uac-bypass-using-ntfs-reparse-point-file.txt  [T1548.002]  UAC Bypass Using NTFS Reparse Point - File
  T1548.002_uac-bypass-using-ntfs-reparse-point-process.txt  [T1548.002]  UAC Bypass Using NTFS Reparse Point - Process
  T1548.002_uac-bypass-using-pkgmgr-and-dism.txt  [T1548.002]  UAC Bypass Using PkgMgr and DISM
  T1548.002_uac-bypass-using-wow64-logger-dll-hijack.txt  [T1548.002]  UAC Bypass Using WOW64 Logger DLL Hijack
  T1548.002_uac-bypass-using-windows-media-player-file.txt  [T1548.002]  UAC Bypass Using Windows Media Player - File
  T1548.002_uac-bypass-using-windows-media-player-process.txt  [T1548.002]  UAC Bypass Using Windows Media Player - Process
  T1548.002_uac-bypass-using-windows-media-player-registry.txt  [T1548.002]  UAC Bypass Using Windows Media Player - Registry
  T1548.002_uac-bypass-via-wsreset.txt  [T1548.002]  UAC Bypass Via Wsreset
  T1548.002_uac-bypass-wsreset.txt  [T1548.002]  UAC Bypass WSReset
  T1548.002_uac-bypass-with-fake-dll.txt  [T1548.002,T1574.001]  UAC Bypass With Fake DLL
  T1548.002_uac-bypass-via-event-viewer.txt  [T1548.002]  UAC Bypass via Event Viewer
  T1548.002_uac-bypass-via-icmluautil.txt  [T1548.002]  UAC Bypass via ICMLuaUtil
  T1548.002_uac-bypass-via-sdclt.txt  [T1548.002]  UAC Bypass via Sdclt
  T1542.001_uefi-persistence-via-wpbbin-filecreation.txt  [T1542.001]  UEFI Persistence Via Wpbbin - FileCreation
  T1542.001_uefi-persistence-via-wpbbin-processcreation.txt  [T1542.001]  UEFI Persistence Via Wpbbin - ProcessCreation
  T1059.001_unc2452-process-creation-patterns.txt  [T1059.001]  UNC2452 Process Creation Patterns
  unc4841-barracuda-esg-exploitation-indicators.txt  []  UNC4841 - Barracuda ESG Exploitation Indicators
  T1140_unc4841-download-compressed-files-from-temp-sh-using-wget.txt  [T1140]  UNC4841 - Download Compressed Files From Temp.sh Using Wget
  T1140_unc4841-download-tar-file-from-untrusted-direct-ip-via-wget.txt  [T1140]  UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
  unc4841-email-exfiltration-file-pattern.txt  []  UNC4841 - Email Exfiltration File Pattern
  T1140_unc4841-ssl-certificate-exfiltration-via-openssl.txt  [T1140]  UNC4841 - SSL Certificate Exfiltration Via Openssl
  T1202_uncommon-child-process-of-setres-exe.txt  [T1202,T1218]  Uncommon Child Process Of Setres.EXE
  T1685_uncommon-extension-in-keyboard-layout-ime-file-registry-valu.txt  [T1685]  Uncommon Extension In Keyboard Layout IME File Registry Value
  T1587.001_uncommon-file-created-in-office-startup-folder.txt  [T1587.001]  Uncommon File Created In Office Startup Folder
  T1195.002_uncommon-file-created-by-notepad-updater-gup-exe.txt  [T1195.002,T1557]  Uncommon File Created by Notepad++ Updater Gup.EXE
  uncommon-file-creation-by-mysql-daemon-process.txt  []  Uncommon File Creation By Mysql Daemon Process
  uncommon-filesystem-load-attempt-by-format-com.txt  []  Uncommon FileSystem Load Attempt By Format.com
  T1112_uncommon-microsoft-office-trusted-location-added.txt  [T1112]  Uncommon Microsoft Office Trusted Location Added
  T1105_uncommon-network-connection-initiated-by-certutil-exe.txt  [T1105]  Uncommon Network Connection Initiated By Certutil.EXE
  T1053.005_uncommon-one-time-only-scheduled-task-at-00-00.txt  [T1053.005]  Uncommon One Time Only Scheduled Task At 00:00
  T1078_unfamiliar-sign-in-properties.txt  [T1078]  Unfamiliar Sign-In Properties
  T1685_uninstall-crowdstrike-falcon-sensor.txt  [T1685]  Uninstall Crowdstrike Falcon Sensor
  T1685_uninstall-sysinternals-sysmon.txt  [T1685]  Uninstall Sysinternals Sysmon
  T1574.001_unsigned-binary-loaded-from-suspicious-location.txt  [T1574.001]  Unsigned Binary Loaded From Suspicious Location
  T1574.001_unsigned-mfdetours-dll-sideloading.txt  [T1574.001]  Unsigned Mfdetours.DLL Sideloading
  T1133_unusual-child-process-of-dns-exe.txt  [T1133]  Unusual Child Process of dns.exe
  T1133_unusual-file-deletion-by-dns-exe.txt  [T1133]  Unusual File Deletion by Dns.exe
  T1564.004_unusual-file-download-from-direct-ip-address.txt  [T1564.004]  Unusual File Download from Direct IP Address
  T1133_unusual-file-modification-by-dns-exe.txt  [T1133]  Unusual File Modification by dns.exe
  T1071.001_ursnif-malware-download-url-pattern.txt  [T1071.001]  Ursnif Malware Download URL Pattern
  T1059_ursnif-redirection-of-discovery-commands.txt  [T1059]  Ursnif Redirection Of Discovery Commands
  T1078.004_use-of-legacy-authentication-protocols.txt  [T1078.004,T1110]  Use of Legacy Authentication Protocols
  T1124_use-of-w32tm-as-timer.txt  [T1124]  Use of W32tm as Timer
  T1098_user-added-to-highly-privileged-group.txt  [T1098]  User Added To Highly Privileged Group
  T1078.004_user-added-to-privilege-role.txt  [T1078.004]  User Added To Privilege Role
  T1021.001_user-added-to-remote-desktop-users-group.txt  [T1021.001,T1133,T1136.001]  User Added to Remote Desktop Users Group
  T1558.003_user-couldn-t-call-a-privileged-service-lsaregisterlogonproc.txt  [T1558.003]  User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
  user-risk-and-mfa-registration-policy-updated.txt  []  User Risk and MFA Registration Policy Updated
  T1112_user-shell-folders-registry-modification-via-commandline.txt  [T1112,T1547.001]  User Shell Folders Registry Modification via CommandLine
  T1078.004_users-added-to-global-or-device-admin-roles.txt  [T1078.004]  Users Added to Global or Device Admin Roles
  T1574.008_using-settingsynchost-exe-as-lolbin.txt  [T1574.008]  Using SettingSyncHost.exe as LOLBin
  T1204.002_vba-dll-loaded-via-office-application.txt  [T1204.002]  VBA DLL Loaded Via Office Application
  T1547.001_vbscript-payload-stored-in-registry.txt  [T1547.001]  VBScript Payload Stored in Registry
  T1574.001_vmmap-unsigned-dbghelp-dll-potential-sideloading.txt  [T1574.001]  VMMap Unsigned Dbghelp.DLL Potential Sideloading
  T1190_vmware-vcenter-server-file-upload-cve-2021-22005.txt  [T1190]  VMware vCenter Server File Upload CVE-2021-22005
  veeam-backup-servers-credential-dumping-script-execution.txt  []  Veeam Backup Servers Credential Dumping Script Execution
  T1005_veeambackup-database-credentials-dump-via-sqlcmd-exe.txt  [T1005]  VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
  T1059_vim-gtfobin-abuse-linux.txt  [T1059,T1083]  Vim GTFOBin Abuse - Linux
  T1027.004_visual-basic-command-line-compiler-usage.txt  [T1027.004]  Visual Basic Command Line Compiler Usage
  T1003.002_volumeshadowcopy-symlink-creation-via-mklink.txt  [T1003.002,T1003.003]  VolumeShadowCopy Symlink Creation Via Mklink
  T1685_vulnerable-driver-blocklist-registry-tampering-via-commandli.txt  [T1685]  Vulnerable Driver Blocklist Registry Tampering Via CommandLine
  T1068_vulnerable-driver-load.txt  [T1068,T1543.003]  Vulnerable Driver Load
  T1543.003_vulnerable-hacksys-extreme-vulnerable-driver-load.txt  [T1543.003]  Vulnerable HackSys Extreme Vulnerable Driver Load
  T1548_vulnerable-netlogon-secure-channel-connection-allowed.txt  [T1548]  Vulnerable Netlogon Secure Channel Connection Allowed
  T1543.003_vulnerable-winring0-driver-load.txt  [T1543.003]  Vulnerable WinRing0 Driver Load
  T1547_winekey-registry-modification.txt  [T1547]  WINEKEY Registry Modification
  T1546.003_wmi-persistence-command-line-event-consumer.txt  [T1546.003]  WMI Persistence - Command Line Event Consumer
  T1546.003_wmi-persistence-script-event-consumer-file-write.txt  [T1546.003]  WMI Persistence - Script Event Consumer File Write
  T1047_wmimplant-hack-tool.txt  [T1047,T1059.001]  WMImplant Hack Tool
  T1202_wsl-kali-linux-usage.txt  [T1202]  WSL Kali-Linux Usage
  T1059.005_wscript-or-cscript-dropper-file.txt  [T1059.005,T1059.007]  WScript or CScript Dropper - File
  wab-execution-from-non-default-location.txt  []  Wab Execution From Non Default Location
  wab-wabmig-unusual-parent-or-child-processes.txt  []  Wab/Wabmig Unusual Parent Or Child Processes
  T1071.001_wannacry-killswitch-domain.txt  [T1071.001]  Wannacry Killswitch Domain
  T1112_wdigest-credguard-registry-modification.txt  [T1112]  Wdigest CredGuard Registry Modification
  T1112_wdigest-enable-uselogoncredential.txt  [T1112]  Wdigest Enable UseLogonCredential
  T1685_weak-encryption-enabled-and-kerberoast.txt  [T1685]  Weak Encryption Enabled and Kerberoast
  T1018_webshell-detection-with-command-line-keywords.txt  [T1018,T1033,T1087,T1505.003]  Webshell Detection With Command Line Keywords
  T1018_webshell-hacking-activity-patterns.txt  [T1018,T1033,T1087,T1505.003]  Webshell Hacking Activity Patterns
  T1505.003_webshell-tool-reconnaissance-activity.txt  [T1505.003]  Webshell Tool Reconnaissance Activity
  T1003.001_werfault-lsass-process-memory-dump.txt  [T1003.001]  WerFault LSASS Process Memory Dump
  T1033_whoami-as-parameter.txt  [T1033]  WhoAmI as Parameter
  T1033_whoami-exe-execution-from-privileged-process.txt  [T1033]  Whoami.EXE Execution From Privileged Process
  T1685_win-defender-restored-quarantine-file.txt  [T1685]  Win Defender Restored Quarantine File
  T1557.001_windivert-driver-load.txt  [T1557.001,T1599.001]  WinDivert Driver Load
  T1547.001_winrar-creating-files-in-startup-locations.txt  [T1547.001]  WinRAR Creating Files in Startup Locations
  T1685_windows-amsi-related-registry-tampering-via-commandline.txt  [T1685]  Windows AMSI Related Registry Tampering Via CommandLine
  T1036_windows-binaries-write-suspicious-extensions.txt  [T1036]  Windows Binaries Write Suspicious Extensions
  T1685_windows-credential-guard-disabled-registry.txt  [T1685]  Windows Credential Guard Disabled - Registry
  T1685_windows-credential-guard-registry-tampering-via-commandline.txt  [T1685]  Windows Credential Guard Registry Tampering Via CommandLine
  T1685_windows-credential-guard-related-registry-value-deleted-regi.txt  [T1685]  Windows Credential Guard Related Registry Value Deleted - Registry
  T1059_windows-defender-amsi-trigger-detected.txt  [T1059]  Windows Defender AMSI Trigger Detected
  T1685_windows-defender-configuration-changes.txt  [T1685]  Windows Defender Configuration Changes
  T1685_windows-defender-context-menu-removed.txt  [T1685]  Windows Defender Context Menu Removed
  T1685_windows-defender-definition-files-removed.txt  [T1685]  Windows Defender Definition Files Removed
  T1685_windows-defender-exploit-guard-tamper.txt  [T1685]  Windows Defender Exploit Guard Tamper
  T1685_windows-defender-grace-period-expired.txt  [T1685]  Windows Defender Grace Period Expired
  T1685_windows-defender-malware-and-pua-scanning-disabled.txt  [T1685]  Windows Defender Malware And PUA Scanning Disabled
  T1685_windows-defender-real-time-protection-disabled.txt  [T1685]  Windows Defender Real-time Protection Disabled
  T1685_windows-defender-service-disabled-registry.txt  [T1685]  Windows Defender Service Disabled - Registry
  T1059_windows-defender-threat-detected.txt  [T1059]  Windows Defender Threat Detected
  T1685_windows-defender-threat-severity-default-action-modified.txt  [T1685]  Windows Defender Threat Severity Default Action Modified
  T1685_windows-defender-virus-scanning-feature-disabled.txt  [T1685]  Windows Defender Virus Scanning Feature Disabled
  T1685.001_windows-eventlog-autologger-session-registry-modification-vi.txt  [T1685.001]  Windows EventLog Autologger Session Registry Modification Via CommandLine
  T1685_windows-filtering-platform-blocked-connection-from-edr-agent.txt  [T1685]  Windows Filtering Platform Blocked Connection From EDR Agent Binary
  T1685_windows-hypervisor-enforced-code-integrity-disabled.txt  [T1685]  Windows Hypervisor Enforced Code Integrity Disabled
  T1021.002_windows-internet-hosted-webdav-share-mount-via-net-exe.txt  [T1021.002]  Windows Internet Hosted WebDav Share Mount Via Net.EXE
  T1098.005_windows-laps-credential-dump-from-entra-id.txt  [T1098.005]  Windows LAPS Credential Dump From Entra ID
  T1059_windows-shell-scripting-application-file-write-to-suspicious.txt  [T1059]  Windows Shell/Scripting Application File Write to Suspicious Folder
  T1059.001_windows-shell-scripting-processes-spawning-suspicious-progra.txt  [T1059.001,T1059.005,T1218]  Windows Shell/Scripting Processes Spawning Suspicious Programs
  T1059_windows-suspicious-child-process-from-node-js-react2shell.txt  [T1059,T1190]  Windows Suspicious Child Process from Node.js - React2Shell
  T1685_windows-vulnerable-driver-blocklist-disabled.txt  [T1685]  Windows Vulnerable Driver Blocklist Disabled
  T1071.001_windows-webdav-user-agent.txt  [T1071.001]  Windows WebDAV User Agent
  T1505.003_windows-webshell-strings.txt  [T1505.003]  Windows Webshell Strings
  T1547.004_winlogon-notify-key-logon-persistence.txt  [T1547.004]  Winlogon Notify Key Logon Persistence
  T1021.006_winrs-local-command-execution.txt  [T1021.006,T1218]  Winrs Local Command Execution
  T1021.002_wmiprvse-wbemcomn-dll-hijack.txt  [T1021.002,T1047]  Wmiprvse Wbemcomn DLL Hijack
  wusa-exe-executed-by-parent-process-located-in-suspicious-lo.txt  []  Wusa.EXE Executed By Parent Process Located In Suspicious Location
  T1574.001_xwizard-exe-execution-from-non-default-location.txt  [T1574.001]  Xwizard.EXE Execution From Non-Default Location
  T1021.002_smbexec-py-service-installation.txt  [T1021.002,T1569.002]  smbexec.py Service Installation
  class-extension-uri-ending-request.txt  []  .Class Extension URI Ending Request
  T1560.001_7zip-compressing-dump-files.txt  [T1560.001]  7Zip Compressing Dump Files
  T1098_a-new-trust-was-created-to-a-domain.txt  [T1098]  A New Trust Was Created To A Domain
  T1069.002_adexplorer-writing-complete-ad-snapshot-into-dat-file.txt  [T1069.002,T1087.002,T1482]  ADExplorer Writing Complete AD Snapshot Into .dat File
  T1005_adfs-database-named-pipe-connection-by-uncommon-tool.txt  [T1005]  ADFS Database Named Pipe Connection By Uncommon Tool
  T1070.004_ads-zone-identifier-deleted-by-uncommon-application.txt  [T1070.004]  ADS Zone.Identifier Deleted By Uncommon Application
  T1001.003_adsi-cache-file-creation-by-uncommon-tool.txt  [T1001.003]  ADSI-Cache File Creation By Uncommon Tool
  T1216_awl-bypass-with-winrm-vbs-and-malicious-wsmpty-xsl-wsmtxt-xs.txt  [T1216]  AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
  T1216_awl-bypass-with-winrm-vbs-and-malicious-wsmpty-xsl-wsmtxt-xs_2.txt  [T1216]  AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
  T1685.002_aws-cloudtrail-important-change.txt  [T1685.002]  AWS CloudTrail Important Change
  T1021.007_aws-console-getsignintoken-potential-abuse.txt  [T1021.007,T1550.001]  AWS Console GetSigninToken Potential Abuse
  T1110_aws-consolelogin-failed-authentication.txt  [T1110]  AWS ConsoleLogin Failed Authentication
  T1486_aws-ec2-disable-ebs-encryption.txt  [T1486,T1565]  AWS EC2 Disable EBS Encryption
  T1525_aws-ecs-task-definition-that-queries-the-credential-endpoint.txt  [T1525]  AWS ECS Task Definition That Queries The Credential Endpoint
  aws-efs-fileshare-modified-or-deleted.txt  []  AWS EFS Fileshare Modified or Deleted
  T1485_aws-efs-fileshare-mount-modified-or-deleted.txt  [T1485]  AWS EFS Fileshare Mount Modified or Deleted
  aws-enableregion-command-monitoring.txt  []  AWS EnableRegion Command Monitoring
  T1098_aws-iam-backdoor-users-keys.txt  [T1098]  AWS IAM Backdoor Users Keys
  T1078_aws-key-pair-import-activity.txt  [T1078]  AWS Key Pair Import Activity
  T1020_aws-rds-master-password-change.txt  [T1020]  AWS RDS Master Password Change
  T1078.004_aws-root-credentials.txt  [T1078.004]  AWS Root Credentials
  T1490_aws-s3-bucket-versioning-disable.txt  [T1490]  AWS S3 Bucket Versioning Disable
  T1078.004_aws-saml-provider-deletion-activity.txt  [T1078.004,T1531]  AWS SAML Provider Deletion Activity
  T1087.004_aws-sts-getcalleridentity-enumeration-via-trufflehog.txt  [T1087.004]  AWS STS GetCallerIdentity Enumeration Via TruffleHog
  T1537_aws-snapshot-backup-exfiltration.txt  [T1537]  AWS Snapshot Backup Exfiltration
  T1078.004_aws-successful-console-login-without-mfa.txt  [T1078.004]  AWS Successful Console Login Without MFA
  T1078_aws-suspicious-saml-activity.txt  [T1078,T1548,T1550,T1550.001]  AWS Suspicious SAML Activity
  T1218_abusing-print-executable.txt  [T1218]  Abusing Print Executable
  T1003_access-to-crypto-currency-wallets-by-uncommon-applications.txt  [T1003]  Access To Crypto Currency Wallets By Uncommon Applications
  T1552.006_access-to-potentially-sensitive-sysvol-files-by-uncommon-app.txt  [T1552.006]  Access To Potentially Sensitive Sysvol Files By Uncommon Applications
  T1552.006_access-to-sysvol-policies-share-by-uncommon-process.txt  [T1552.006]  Access To Sysvol Policies Share By Uncommon Process
  T1555.004_access-to-windows-credential-history-file-by-uncommon-applic.txt  [T1555.004]  Access To Windows Credential History File By Uncommon Applications
  T1555.004_access-to-windows-dpapi-master-keys-by-uncommon-applications.txt  [T1555.004]  Access To Windows DPAPI Master Keys By Uncommon Applications
  T1592.004_access-of-sudoers-file-content.txt  [T1592.004]  Access of Sudoers File Content
  T1555.003_access-to-browser-login-data.txt  [T1555.003]  Access to Browser Login Data
  T1078.004_account-disabled-or-blocked-for-sign-in-attempts.txt  [T1078.004]  Account Disabled or Blocked for Sign in Attempts
  T1110_account-lockout.txt  [T1110]  Account Lockout
  T1078_account-tampering-suspicious-failed-logon-reasons.txt  [T1078]  Account Tampering - Suspicious Failed Logon Reasons
  T1112_activate-suppression-of-windows-security-center-notification.txt  [T1112]  Activate Suppression of Windows Security Center Notifications
  T1069.002_active-directory-database-snapshot-via-adexplorer.txt  [T1069.002,T1087.002,T1482]  Active Directory Database Snapshot Via ADExplorer
  T1087.002_active-directory-structure-export-via-csvde-exe.txt  [T1087.002]  Active Directory Structure Export Via Csvde.EXE
  active-directory-structure-export-via-ldifde-exe.txt  []  Active Directory Structure Export Via Ldifde.EXE
  activity-performed-by-terminated-user.txt  []  Activity Performed by Terminated User
  T1573_activity-from-anonymous-ip-addresses.txt  [T1573]  Activity from Anonymous IP Addresses
  T1573_activity-from-infrequent-country.txt  [T1573]  Activity from Infrequent Country
  T1573_activity-from-suspicious-ip-addresses.txt  [T1573]  Activity from Suspicious IP Addresses
  add-debugger-entry-to-aedebug-for-persistence.txt  []  Add Debugger Entry To AeDebug For Persistence
  T1112_add-disallowrun-execution-to-registry.txt  [T1112]  Add DisallowRun Execution to Registry
  T1059_add-new-download-source-to-winget.txt  [T1059]  Add New Download Source To Winget
  T1547.010_add-port-monitor-persistence-in-registry.txt  [T1547.010]  Add Port Monitor Persistence in Registry
  T1059_add-potential-suspicious-new-download-source-to-winget.txt  [T1059]  Add Potential Suspicious New Download Source To Winget
  add-windows-capability-via-powershell-cmdlet.txt  []  Add Windows Capability Via PowerShell Cmdlet
  add-windows-capability-via-powershell-script.txt  []  Add Windows Capability Via PowerShell Script
  T1552_added-owner-to-application.txt  [T1552]  Added Owner To Application
  T1218_addinutil-exe-execution-from-uncommon-directory.txt  [T1218]  AddinUtil.EXE Execution From Uncommon Directory
  T1046_advanced-ip-scanner-file-event.txt  [T1046]  Advanced IP Scanner - File Event
  T1218_agentexecutor-powershell-execution.txt  [T1218]  AgentExecutor PowerShell Execution
  T1112_allow-rdp-remote-assistance-feature.txt  [T1112]  Allow RDP Remote Assistance Feature
  T1059.001_alternate-powershell-hosts-powershell-module.txt  [T1059.001]  Alternate PowerShell Hosts - PowerShell Module
  T1548.002_always-install-elevated-msi-spawned-cmd-and-powershell.txt  [T1548.002]  Always Install Elevated MSI Spawned Cmd And Powershell
  T1548.002_always-install-elevated-windows-installer.txt  [T1548.002]  Always Install Elevated Windows Installer
  amsi-dll-loaded-via-lolbin-process.txt  []  Amsi.DLL Loaded Via LOLBIN Process
  anydesk-remote-access-software-service-installation.txt  []  Anydesk Remote Access Software Service Installation
  T1219.002_anydesk-temporary-artefact.txt  [T1219.002]  Anydesk Temporary Artefact
  T1190_apache-threading-error.txt  [T1190,T1210]  Apache Threading Error
  T1098.003_app-assigned-to-azure-rbac-microsoft-entra-role.txt  [T1098.003]  App Assigned To Azure RBAC/Microsoft Entra Role
  T1059.001_applocker-prevented-application-or-script-from-running.txt  [T1059.001,T1059.003,T1059.005,T1059.006,T1059.007,T1204.002]  AppLocker Prevented Application or Script from Running
  appx-located-in-uncommon-directory-added-to-deployment-pipel.txt  []  AppX Located in Uncommon Directory Added to Deployment Pipeline
  appx-package-deployment-failed-due-to-signing-requirements.txt  []  AppX Package Deployment Failed Due to Signing Requirements
  T1105_appx-package-installation-attempts-via-appinstaller-exe.txt  [T1105]  AppX Package Installation Attempts Via AppInstaller.EXE
  T1047_application-removed-via-wmic-exe.txt  [T1047]  Application Removed Via Wmic.EXE
  T1047_application-terminated-via-wmic-exe.txt  [T1047]  Application Terminated Via Wmic.EXE
  T1078_application-using-device-code-authentication-flow.txt  [T1078]  Application Using Device Code Authentication Flow
  T1078_applications-that-are-using-ropc-authentication-flow.txt  [T1078]  Applications That Are Using ROPC Authentication Flow
  T1202_arbitrary-command-execution-using-wsl.txt  [T1202,T1218]  Arbitrary Command Execution Using WSL
  T1218_arbitrary-dll-or-csproj-code-execution-via-dotnet-exe.txt  [T1218]  Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
  T1567_arbitrary-file-download-via-configsecuritypolicy-exe.txt  [T1567]  Arbitrary File Download Via ConfigSecurityPolicy.EXE
  T1105_arbitrary-file-download-via-gfxdownloadwrapper-exe.txt  [T1105]  Arbitrary File Download Via GfxDownloadWrapper.EXE
  T1218_arbitrary-file-download-via-msedge-proxy-exe.txt  [T1218]  Arbitrary File Download Via MSEDGE_PROXY.EXE
  T1218_arbitrary-file-download-via-msohtmed-exe.txt  [T1218]  Arbitrary File Download Via MSOHTMED.EXE
  T1218_arbitrary-file-download-via-mspub-exe.txt  [T1218]  Arbitrary File Download Via MSPUB.EXE
  T1218_arbitrary-file-download-via-presentationhost-exe.txt  [T1218]  Arbitrary File Download Via PresentationHost.EXE
  T1218_arbitrary-file-download-via-squirrel-exe.txt  [T1218]  Arbitrary File Download Via Squirrel.EXE
  T1218_arbitrary-msi-download-via-devinit-exe.txt  [T1218]  Arbitrary MSI Download Via Devinit.EXE
  T1204_arbitrary-shell-command-execution-via-settingcontent-ms.txt  [T1204,T1566.001]  Arbitrary Shell Command Execution Via Settingcontent-Ms
  T1127_aspnetcompiler-execution.txt  [T1127]  AspNetCompiler Execution
  assembly-dll-creation-via-aspnetcompiler.txt  []  Assembly DLL Creation Via AspNetCompiler
  T1216_assembly-loading-via-cl-loadassembly-ps1.txt  [T1216]  Assembly Loading Via CL_LoadAssembly.ps1
  T1218_atbroker-registry-change.txt  [T1218,T1547]  Atbroker Registry Change
  T1123_audio-capture-via-powershell.txt  [T1123]  Audio Capture via PowerShell
  T1123_audio-capture-via-soundrecorder.txt  [T1123]  Audio Capture via SoundRecorder
  T1078_authentications-to-important-apps-using-single-factor-authen.txt  [T1078]  Authentications To Important Apps Using Single Factor Authentication
  T1119_automated-collection-command-powershell.txt  [T1119]  Automated Collection Command PowerShell
  T1119_automated-collection-command-prompt.txt  [T1119,T1552.001]  Automated Collection Command Prompt
  T1012_azure-ad-health-monitoring-agent-registry-keys-access.txt  [T1012]  Azure AD Health Monitoring Agent Registry Keys Access
  T1012_azure-ad-health-service-agents-registry-keys-access.txt  [T1012]  Azure AD Health Service Agents Registry Keys Access
  T1578_azure-active-directory-hybrid-health-ad-fs-new-server.txt  [T1578]  Azure Active Directory Hybrid Health AD FS New Server
  T1578.003_azure-active-directory-hybrid-health-ad-fs-service-delete.txt  [T1578.003]  Azure Active Directory Hybrid Health AD FS Service Delete
  T1489_azure-application-deleted.txt  [T1489]  Azure Application Deleted
  azure-application-gateway-modified-or-deleted.txt  []  Azure Application Gateway Modified or Deleted
  azure-application-security-group-modified-or-deleted.txt  []  Azure Application Security Group Modified or Deleted
  T1565.001_azure-dns-zone-modified-or-deleted.txt  [T1565.001]  Azure DNS Zone Modified or Deleted
  azure-device-no-longer-managed-or-compliant.txt  []  Azure Device No Longer Managed or Compliant
  T1485_azure-device-or-configuration-modified-or-deleted.txt  [T1485,T1565.001]  Azure Device or Configuration Modified or Deleted
  T1078_azure-domain-federation-settings-modified.txt  [T1078]  Azure Domain Federation Settings Modified
  T1686.001_azure-firewall-modified-or-deleted.txt  [T1686.001]  Azure Firewall Modified or Deleted
  T1686.001_azure-firewall-rule-collection-modified-or-deleted.txt  [T1686.001]  Azure Firewall Rule Collection Modified or Deleted
  azure-firewall-rule-configuration-modified-or-deleted.txt  []  Azure Firewall Rule Configuration Modified or Deleted
  T1552_azure-key-vault-modified-or-deleted.txt  [T1552,T1552.001]  Azure Key Vault Modified or Deleted
  T1552_azure-keyvault-key-modified-or-deleted.txt  [T1552,T1552.001]  Azure Keyvault Key Modified or Deleted
  T1552_azure-keyvault-secrets-modified-or-deleted.txt  [T1552,T1552.001]  Azure Keyvault Secrets Modified or Deleted
  T1078_azure-kubernetes-admission-controller.txt  [T1078,T1552,T1552.007]  Azure Kubernetes Admission Controller
  T1053.003_azure-kubernetes-cronjob.txt  [T1053.003]  Azure Kubernetes CronJob
  T1685_azure-kubernetes-events-deleted.txt  [T1685]  Azure Kubernetes Events Deleted
  T1485_azure-kubernetes-network-policy-change.txt  [T1485,T1489,T1496]  Azure Kubernetes Network Policy Change
  azure-kubernetes-pods-deleted.txt  []  Azure Kubernetes Pods Deleted
  T1485_azure-kubernetes-rolebinding-clusterrolebinding-modified-and.txt  [T1485,T1489,T1496]  Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
  T1485_azure-kubernetes-secret-or-config-object-access.txt  [T1485,T1489,T1496]  Azure Kubernetes Secret or Config Object Access
  T1485_azure-kubernetes-sensitive-role-access.txt  [T1485,T1489,T1496]  Azure Kubernetes Sensitive Role Access
  T1485_azure-kubernetes-service-account-modified-or-deleted.txt  [T1485,T1489,T1496,T1531]  Azure Kubernetes Service Account Modified or Deleted
  T1686.001_azure-network-firewall-policy-modified-or-deleted.txt  [T1686.001]  Azure Network Firewall Policy Modified or Deleted
  azure-network-security-configuration-modified-or-deleted.txt  []  Azure Network Security Configuration Modified or Deleted
  T1059_azure-new-cloudshell-created.txt  [T1059]  Azure New CloudShell Created
  azure-owner-removed-from-application-or-service-principal.txt  []  Azure Owner Removed From Application or Service Principal
  azure-point-to-site-vpn-modified-or-deleted.txt  []  Azure Point-to-site VPN Modified or Deleted
  azure-service-principal-created.txt  []  Azure Service Principal Created
  azure-service-principal-removed.txt  []  Azure Service Principal Removed
  azure-suppression-rule-created.txt  []  Azure Suppression Rule Created
  T1078_azure-unusual-authentication-interruption.txt  [T1078]  Azure Unusual Authentication Interruption
  azure-vpn-connection-modified-or-deleted.txt  []  Azure VPN Connection Modified or Deleted
  azure-virtual-network-device-modified-or-deleted.txt  []  Azure Virtual Network Device Modified or Deleted
  azure-virtual-network-modified-or-deleted.txt  []  Azure Virtual Network Modified or Deleted
  T1197_bits-transfer-job-downloading-file-potential-suspicious-exte.txt  [T1197]  BITS Transfer Job Downloading File Potential Suspicious Extension
  T1197_bits-transfer-job-with-uncommon-or-suspicious-remote-tld.txt  [T1197]  BITS Transfer Job With Uncommon Or Suspicious Remote TLD
  T1059.004_bpftrace-unsafe-option-usage.txt  [T1059.004]  BPFtrace Unsafe Option Usage
  T1070.004_backup-catalog-deleted.txt  [T1070.004]  Backup Catalog Deleted
  T1490_backup-files-deleted.txt  [T1490]  Backup Files Deleted
  T1218_binary-proxy-execution-via-dotnet-trace-exe.txt  [T1218]  Binary Proxy Execution Via Dotnet-Trace.EXE
  T1685_bitbucket-audit-log-configuration-updated.txt  [T1685]  Bitbucket Audit Log Configuration Updated
  T1098_bitbucket-global-permission-changed.txt  [T1098]  Bitbucket Global Permission Changed
  T1021.004_bitbucket-global-ssh-settings-changed.txt  [T1021.004,T1685]  Bitbucket Global SSH Settings Changed
  T1685_bitbucket-global-secret-scanning-rule-deleted.txt  [T1685]  Bitbucket Global Secret Scanning Rule Deleted
  T1082_bitbucket-user-details-export-attempt-detected.txt  [T1082,T1213,T1591.004]  Bitbucket User Details Export Attempt Detected
  T1078.004_bitbucket-user-login-failure.txt  [T1078.004,T1110]  Bitbucket User Login Failure
  T1021.004_bitbucket-user-login-failure-via-ssh.txt  [T1021.004,T1110]  Bitbucket User Login Failure Via SSH
  T1082_bitbucket-user-permissions-export-attempt.txt  [T1082,T1213,T1591.004]  Bitbucket User Permissions Export Attempt
  T1078.004_bitlocker-key-retrieval.txt  [T1078.004]  Bitlocker Key Retrieval
  T1686_bpfdoor-tcp-ports-redirect.txt  [T1686]  Bpfdoor TCP Ports Redirect
  T1185_browser-started-with-remote-debugging.txt  [T1185]  Browser Started with Remote Debugging
  T1127_c-il-code-compilation-via-ilasm-exe.txt  [T1127]  C# IL Code Compilation Via Ilasm.EXE
  T1548_ca-policy-removed-by-non-approved-actor.txt  [T1548,T1556]  CA Policy Removed by Non Approved Actor
  T1548_ca-policy-updated-by-non-approved-actor.txt  [T1548,T1556]  CA Policy Updated by Non Approved Actor
  T1204.002_clr-dll-loaded-via-office-applications.txt  [T1204.002]  CLR DLL Loaded Via Office Applications
  T1546.015_com-hijacking-via-treatas.txt  [T1546.015]  COM Hijacking via TreatAs
  T1218_com-object-execution-via-xwizard-exe.txt  [T1218]  COM Object Execution via Xwizard.EXE
  T1569.002_csexec-service-file-creation.txt  [T1569.002]  CSExec Service File Creation
  T1569.002_csexec-service-installation.txt  [T1569.002]  CSExec Service Installation
  T1190_cve-2022-31659-vmware-workspace-one-access-rce.txt  [T1190]  CVE-2022-31659 VMware Workspace ONE Access RCE
  T1190_cve-2023-1389-potential-exploitation-attempt-unauthenticated.txt  [T1190]  CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
  T1059_cve-2023-22518-exploitation-attempt-suspicious-confluence-ch_2.txt  [T1059,T1190]  CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
  T1190_cve-2023-22518-exploitation-attempt-vulnerable-endpoint-conn.txt  [T1190]  CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
  T1190_cve-2023-22518-exploitation-attempt-vulnerable-endpoint-conn_2.txt  [T1190]  CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
  cve-2023-40477-potential-exploitation-winrar-application-cra.txt  []  CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
  T1190_cve-2023-4966-potential-exploitation-attempt-citrix-adc-sens.txt  [T1190]  CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  T1190_cve-2023-4966-potential-exploitation-attempt-citrix-adc-sens_2.txt  [T1190]  CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  cve-2024-1708-screenconnect-path-traversal-exploitation.txt  []  CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
  cab-file-extraction-via-wusa-exe.txt  []  Cab File Extraction Via Wusa.EXE
  T1003_capture-credentials-with-rpcping-exe.txt  [T1003]  Capture Credentials with Rpcping.exe
  T1649_certificate-exported-from-local-certificate-store.txt  [T1649]  Certificate Exported From Local Certificate Store
  T1027_certificate-exported-via-certutil-exe.txt  [T1027]  Certificate Exported Via Certutil.EXE
  T1059.001_certificate-exported-via-powershell.txt  [T1059.001,T1552.004]  Certificate Exported Via PowerShell
  T1552.004_certificate-exported-via-powershell-scriptblock.txt  [T1552.004]  Certificate Exported Via PowerShell - ScriptBlock
  T1649_certificate-private-key-acquired.txt  [T1649]  Certificate Private Key Acquired
  certificate-use-with-no-strong-mapping.txt  []  Certificate Use With No Strong Mapping
  T1556_certificate-based-authentication-enabled.txt  [T1556]  Certificate-Based Authentication Enabled
  T1059.001_change-powershell-policies-to-an-insecure-level.txt  [T1059.001]  Change PowerShell Policies to an Insecure Level
  T1059.001_change-powershell-policies-to-an-insecure-level-powershell.txt  [T1059.001]  Change PowerShell Policies to an Insecure Level - PowerShell
  T1071.001_change-user-agents-with-webrequest.txt  [T1071.001]  Change User Agents with WebRequest
  T1098_change-to-authentication-method.txt  [T1098,T1556]  Change to Authentication Method
  T1574.011_changing-existing-service-imagepath-value-via-reg-exe.txt  [T1574.011]  Changing Existing Service ImagePath Value Via Reg.EXE
  T1222.002_chmod-targeting-sensitive-directories.txt  [T1222.002]  Chmod Targeting Sensitive Directories
  T1176.001_chromium-browser-instance-executed-with-custom-extension.txt  [T1176.001]  Chromium Browser Instance Executed With Custom Extension
  T1495_cisco-denial-of-service.txt  [T1495,T1529,T1565.001]  Cisco Denial of Service
  T1556.004_cisco-dot1x-disabled.txt  [T1556.004,T1685]  Cisco Dot1x Disabled
  cisco-duo-successful-mfa-authentication-via-bypass-code.txt  []  Cisco Duo Successful MFA Authentication Via Bypass Code
  T1070.004_cisco-file-deletion.txt  [T1070.004,T1561.001,T1561.002]  Cisco File Deletion
  T1053_cisco-modify-configuration.txt  [T1053,T1490,T1505,T1565.002]  Cisco Modify Configuration
  T1552.003_cisco-show-commands-input.txt  [T1552.003]  Cisco Show Commands Input
  T1040_cisco-sniffing.txt  [T1040]  Cisco Sniffing
  T1070.003_clear-powershell-history-powershell.txt  [T1070.003]  Clear PowerShell History - PowerShell
  T1070.003_clear-powershell-history-powershell-module.txt  [T1070.003]  Clear PowerShell History - PowerShell Module
  T1685.006_clear-or-disable-kernel-ring-buffer-logs-via-syslog-syscall.txt  [T1685.006]  Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
  T1059_clfs-sys-loaded-by-process-located-in-a-potential-suspicious.txt  [T1059]  Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
  clickonce-deployment-execution-dfsvc-exe-child-process.txt  []  ClickOnce Deployment Execution - Dfsvc.EXE Child Process
  T1112_clickonce-trust-prompt-tampering.txt  [T1112]  ClickOnce Trust Prompt Tampering
  T1059.002_clipboard-access-via-osascript.txt  [T1059.002,T1115]  Clipboard Access Via OSAScript
  T1115_clipboard-data-collection-via-pbpaste.txt  [T1115]  Clipboard Data Collection Via Pbpaste
  T1090.001_cloudflared-portable-execution.txt  [T1090.001]  Cloudflared Portable Execution
  T1090.001_cloudflared-quick-tunnel-execution.txt  [T1090.001]  Cloudflared Quick Tunnel Execution
  T1090_cloudflared-tunnel-connections-cleanup.txt  [T1090,T1102,T1572]  Cloudflared Tunnel Connections Cleanup
  T1090_cloudflared-tunnel-execution.txt  [T1090,T1102,T1572]  Cloudflared Tunnel Execution
  T1071.001_cloudflared-tunnels-related-dns-requests.txt  [T1071.001,T1572]  Cloudflared Tunnels Related DNS Requests
  T1564.003_cmd-launched-with-hidden-start-flags-to-suspicious-targets.txt  [T1564.003]  Cmd Launched with Hidden Start Flags to Suspicious Targets
  T1218.011_code-execution-via-pcwutl-dll.txt  [T1218.011]  Code Execution via Pcwutl.dll
  T1036_codepage-modification-via-mode-com-to-russian-language.txt  [T1036]  CodePage Modification Via MODE.COM To Russian Language
  T1059.001_command-line-execution-with-suspicious-url-and-appdata-strin.txt  [T1059.001,T1059.003,T1105]  Command Line Execution with Suspicious URL and AppData Strings
  T1571_communication-to-uncommon-destination-ports.txt  [T1571]  Communication To Uncommon Destination Ports
  T1078.001_commvault-qlogin-with-publicsharinguser-and-guid-password-cv.txt  [T1078.001]  Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
  T1560.001_compress-data-and-lock-with-password-for-exfiltration-with-7.txt  [T1560.001]  Compress Data and Lock With Password for Exfiltration With 7-ZIP
  T1560.001_compress-data-and-lock-with-password-for-exfiltration-with-w.txt  [T1560.001]  Compress Data and Lock With Password for Exfiltration With WINZIP
  T1033_computer-discovery-and-export-via-get-adcomputer-cmdlet.txt  [T1033]  Computer Discovery And Export Via Get-ADComputer Cmdlet
  T1033_computer-discovery-and-export-via-get-adcomputer-cmdlet-powe.txt  [T1033]  Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
  computer-password-change-via-ksetup-exe.txt  []  Computer Password Change Via Ksetup.EXE
  T1047_computer-system-reconnaissance-via-wmic-exe.txt  [T1047]  Computer System Reconnaissance Via Wmic.EXE
  T1059_conhost-spawned-by-uncommon-parent-process.txt  [T1059]  Conhost Spawned By Uncommon Parent Process
  T1614.001_console-codepage-lookup-via-chcp.txt  [T1614.001]  Console CodePage Lookup Via CHCP
  T1027_convertto-securestring-cmdlet-usage-via-commandline.txt  [T1027,T1059.001]  ConvertTo-SecureString Cmdlet Usage Via CommandLine
  T1021.002_copy-from-or-to-admin-share-or-sysvol-folder.txt  [T1021.002,T1039,T1048]  Copy From Or To Admin Share Or Sysvol Folder
  T1003.002_crash-dump-created-by-operating-system.txt  [T1003.002,T1005]  Crash Dump Created By Operating System
  T1112_crashcontrol-crashdump-disabled.txt  [T1112,T1564]  CrashControl CrashDump Disabled
  T1055.001_createremotethread-api-and-loadlibrary.txt  [T1055.001]  CreateRemoteThread API and LoadLibrary
  T1055_created-files-by-microsoft-sync-center.txt  [T1055,T1218]  Created Files by Microsoft Sync Center
  T1136.001_creation-of-an-user-account.txt  [T1136.001]  Creation Of An User Account
  T1574.001_creation-of-non-existent-system-dll.txt  [T1574.001]  Creation Of Non-Existent System DLL
  T1036.005_creation-of-pod-in-system-namespace.txt  [T1036.005]  Creation Of Pod In System Namespace
  creation-of-a-suspicious-ads-file-outside-a-browser-download.txt  []  Creation Of a Suspicious ADS File Outside a Browser Download
  T1574.001_creation-of-werfault-exe-wer-dll-in-unusual-folder.txt  [T1574.001]  Creation of WerFault.exe/Wer.dll in Unusual Folder
  creation-of-a-diagcab.txt  []  Creation of a Diagcab
  T1056.002_credui-dll-loaded-by-uncommon-process.txt  [T1056.002]  CredUI.DLL Loaded By Uncommon Process
  T1003_credential-manager-access-by-uncommon-applications.txt  [T1003]  Credential Manager Access By Uncommon Applications
  T1555.001_credentials-from-password-stores-keychain.txt  [T1555.001]  Credentials from Password Stores - Keychain
  cscript-wscript-potentially-suspicious-child-process.txt  []  Cscript/Wscript Potentially Suspicious Child Process
  curl-web-request-with-potential-custom-user-agent.txt  []  Curl Web Request With Potential Custom User-Agent
  T1071.001_curl-exe-execution-with-custom-useragent.txt  [T1071.001]  Curl.EXE Execution With Custom UserAgent
  T1547.001_currentcontrolset-autorun-keys-modification.txt  [T1547.001]  CurrentControlSet Autorun Keys Modification
  T1021.002_dcerpc-smb-spoolss-named-pipe.txt  [T1021.002]  DCERPC SMB Spoolss Named Pipe
  T1218.011_dll-call-by-ordinal-via-rundll32-exe.txt  [T1218.011]  DLL Call by Ordinal Via Rundll32.EXE
  T1574_dll-execution-via-register-cimprovider-exe.txt  [T1574]  DLL Execution Via Register-cimprovider.exe
  T1218_dll-execution-via-rasautou-exe.txt  [T1218]  DLL Execution via Rasautou.exe
  T1070_dll-load-by-system-process-from-suspicious-locations.txt  [T1070]  DLL Load By System Process From Suspicious Locations
  T1218_dll-loaded-via-certoc-exe.txt  [T1218]  DLL Loaded via CertOC.EXE
  T1574.001_dll-names-used-by-svr-for-graphicalproton-backdoor.txt  [T1574.001]  DLL Names Used By SVR For GraphicalProton Backdoor
  T1078.002_dmsa-service-account-created-in-specific-ous-powershell.txt  [T1078.002,T1098]  DMSA Service Account Created in Specific OUs - PowerShell
  T1218.010_dns-query-request-by-regsvr32-exe.txt  [T1218.010,T1559.001]  DNS Query Request By Regsvr32.EXE
  T1219.002_dns-query-to-azurewebsites-net-by-non-browser-process.txt  [T1219.002]  DNS Query To AzureWebsites.NET By Non-Browser Process
  T1071.004_dns-query-to-common-malware-hosting-and-shortener-services.txt  [T1071.004]  DNS Query To Common Malware Hosting and Shortener Services
  T1071.001_dns-query-to-devtunnels-domain.txt  [T1071.001,T1572]  DNS Query To Devtunnels Domain
  T1567.002_dns-query-to-mega-hosting-website.txt  [T1567.002]  DNS Query To MEGA Hosting Website
  T1567.002_dns-query-to-mega-hosting-website-dns-client.txt  [T1567.002]  DNS Query To MEGA Hosting Website - DNS Client
  dns-query-to-put-io-dns-client.txt  []  DNS Query To Put.io - DNS Client
  T1219.002_dns-query-to-remote-access-software-domain-from-non-browser.txt  [T1219.002]  DNS Query To Remote Access Software Domain From Non-Browser App
  T1071.001_dns-query-to-visual-studio-code-tunnels-domain.txt  [T1071.001]  DNS Query To Visual Studio Code Tunnels Domain
  T1048_dns-tor-proxies.txt  [T1048]  DNS TOR Proxies
  T1112_dns-over-https-enabled-by-registry.txt  [T1112,T1140]  DNS-over-HTTPS Enabled by Registry
  T1003.004_dpapi-domain-master-key-backup-attempt.txt  [T1003.004]  DPAPI Domain Master Key Backup Attempt
  T1059_darkgate-autoit3-exe-file-creation-by-uncommon-process.txt  [T1059,T1105]  DarkGate - Autoit3.EXE File Creation By Uncommon Process
  T1059_darkgate-drop-darkgate-loader-in-c-temp-directory.txt  [T1059]  DarkGate - Drop DarkGate Loader In C:\Temp Directory
  T1537_data-exfiltration-to-unsanctioned-apps.txt  [T1537]  Data Exfiltration to Unsanctioned Apps
  T1048.003_data-exfiltration-with-wget.txt  [T1048.003]  Data Exfiltration with Wget
  T1048_data-export-from-mssql-table-via-bcp-exe.txt  [T1048]  Data Export From MSSQL Table Via BCP.EXE
  T1003.001_dbghelp-dbgcore-dll-loaded-by-uncommon-suspicious-process.txt  [T1003.001]  Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
  default-credentials-usage.txt  []  Default Credentials Usage
  T1053.005_defrag-deactivation.txt  [T1053.005]  Defrag Deactivation
  T1053_defrag-deactivation-security.txt  [T1053]  Defrag Deactivation - Security
  delete-defender-scan-shellex-context-menu-registry-key.txt  []  Delete Defender Scan ShellEx Context Menu Registry Key
  T1485_deleted-data-overwritten-via-cipher-exe.txt  [T1485]  Deleted Data Overwritten Via Cipher.EXE
  T1021.001_denied-access-to-remote-desktop.txt  [T1021.001]  Denied Access To Remote Desktop
  deployment-appx-package-was-blocked-by-applocker.txt  []  Deployment AppX Package Was Blocked By AppLocker
  deployment-of-the-appx-package-was-blocked-by-the-policy.txt  []  Deployment Of The AppX Package Was Blocked By The Policy
  T1547.009_desktop-ini-created-by-uncommon-process.txt  [T1547.009]  Desktop.INI Created by Uncommon Process
  T1518_detected-windows-software-discovery.txt  [T1518]  Detected Windows Software Discovery
  T1518_detected-windows-software-discovery-powershell.txt  [T1518]  Detected Windows Software Discovery - PowerShell
  T1059.001_detection-of-powershell-execution-via-sqlps-exe.txt  [T1059.001,T1127]  Detection of PowerShell Execution via Sqlps.exe
  T1200_device-installation-blocked.txt  [T1200]  Device Installation Blocked
  T1078.004_device-registration-or-join-without-mfa.txt  [T1078.004]  Device Registration or Join Without MFA
  T1218_devicecredentialdeployment-execution.txt  [T1218]  DeviceCredentialDeployment Execution
  T1203_dfsvc-exe-network-connection-to-non-local-ips.txt  [T1203]  Dfsvc.EXE Network Connection To Non-Local IPs
  T1547.001_direct-autorun-keys-modification.txt  [T1547.001]  Direct Autorun Keys Modification
  T1018_directorysearcher-powershell-exploitation.txt  [T1018]  DirectorySearcher Powershell Exploitation
  T1070.005_disable-administrative-share-creation-at-startup.txt  [T1070.005]  Disable Administrative Share Creation at Startup
  T1685_disable-exploit-guard-network-protection-on-windows-defender.txt  [T1685]  Disable Exploit Guard Network Protection on Windows Defender
  T1112_disable-internal-tools-or-feature-in-registry.txt  [T1112]  Disable Internal Tools or Feature in Registry
  T1686.003_disable-microsoft-defender-firewall-via-registry.txt  [T1686.003]  Disable Microsoft Defender Firewall via Registry
  T1489_disable-or-stop-services.txt  [T1489,T1685]  Disable Or Stop Services
  T1685_disable-privacy-settings-experience-in-registry.txt  [T1685]  Disable Privacy Settings Experience in Registry
  T1685_disable-security-tools.txt  [T1685]  Disable Security Tools
  T1685_disable-tamper-protection-on-windows-defender.txt  [T1685]  Disable Tamper Protection on Windows Defender
  T1686.003_disable-windows-firewall-by-registry.txt  [T1686.003]  Disable Windows Firewall by Registry
  T1112_disable-windows-security-center-notifications.txt  [T1112]  Disable Windows Security Center Notifications
  T1556_disabled-mfa-to-bypass-authentication-mechanisms.txt  [T1556]  Disabled MFA to Bypass Authentication Mechanisms
  T1686_disabling-security-tools.txt  [T1686]  Disabling Security Tools
  T1686_disabling-security-tools-builtin.txt  [T1686]  Disabling Security Tools - Builtin
  disk-image-creation-via-hdiutil-macos.txt  []  Disk Image Creation Via Hdiutil - MacOS
  T1560.001_disk-image-mounting-via-hdiutil-macos.txt  [T1560.001,T1566.001]  Disk Image Mounting Via Hdiutil - MacOS
  T1218_diskshadow-child-process-spawned.txt  [T1218]  Diskshadow Child Process Spawned
  T1218_diskshadow-script-mode-execution-from-potential-suspicious-l.txt  [T1218]  Diskshadow Script Mode - Execution From Potential Suspicious Location
  T1218_diskshadow-script-mode-uncommon-script-extension-execution.txt  [T1218]  Diskshadow Script Mode - Uncommon Script Extension Execution
  T1218_diskshadow-script-mode-execution.txt  [T1218]  Diskshadow Script Mode Execution
  T1685_dism-remove-online-package.txt  [T1685]  Dism Remove Online Package
  T1564.001_displaying-hidden-files-feature-disabled.txt  [T1564.001]  Displaying Hidden Files Feature Disabled
  T1190_django-framework-exceptions.txt  [T1190]  Django Framework Exceptions
  T1218.007_dllunregisterserver-function-call-via-msiexec-exe.txt  [T1218.007]  DllUnregisterServer Function Call Via Msiexec.EXE
  T1218_dllhost-exe-initiated-network-connection-to-non-local-ip-add.txt  [T1218,T1559.001]  Dllhost.EXE Initiated Network Connection To Non-Local IP Address
  T1482_domain-trust-discovery-via-dsquery.txt  [T1482]  Domain Trust Discovery Via Dsquery
  T1204.002_dotnet-assembly-dll-loaded-via-office-application.txt  [T1204.002]  DotNET Assembly DLL Loaded Via Office Application
  T1105_download-file-to-potentially-suspicious-directory-via-wget.txt  [T1105]  Download File To Potentially Suspicious Directory Via Wget
  T1105_download-from-suspicious-dyndns-hosts.txt  [T1105,T1568]  Download from Suspicious Dyndns Hosts
  T1218.008_driver-dll-installation-via-odbcconf-exe.txt  [T1218.008]  Driver/DLL Installation Via Odbcconf.EXE
  driverquery-exe-execution.txt  []  DriverQuery.EXE Execution
  drop-binaries-into-spool-drivers-color-folder.txt  []  Drop Binaries Into Spool Drivers Color Folder
  T1556.002_dropping-of-password-filter-dll.txt  [T1556.002]  Dropping Of Password Filter DLL
  T1555_dump-credentials-from-windows-credential-manager-with-powers.txt  [T1555]  Dump Credentials from Windows Credential Manager With PowerShell
  dump-ntds-dit-to-suspicious-location.txt  []  Dump Ntds.dit To Suspicious Location
  T1003.001_dumpminitool-execution.txt  [T1003.001,T1036]  DumpMinitool Execution
  T1003.001_dumping-process-via-sqldumper-exe.txt  [T1003.001]  Dumping Process via Sqldumper.exe
  T1027.004_dynamic-net-compilation-via-csc-exe.txt  [T1027.004]  Dynamic .NET Compilation Via Csc.EXE
  T1027.004_dynamic-net-compilation-via-csc-exe-hunting.txt  [T1027.004]  Dynamic .NET Compilation Via Csc.EXE - Hunting
  T1059.012_esxi-account-creation-via-esxcli.txt  [T1059.012,T1136]  ESXi Account Creation Via ESXCLI
  T1007_esxi-network-configuration-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi Network Configuration Discovery Via ESXCLI
  T1007_esxi-storage-information-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi Storage Information Discovery Via ESXCLI
  T1059.012_esxi-syslog-configuration-change-via-esxcli.txt  [T1059.012,T1685,T1690]  ESXi Syslog Configuration Change Via ESXCLI
  T1007_esxi-system-information-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi System Information Discovery Via ESXCLI
  T1059.012_esxi-vm-kill-via-esxcli.txt  [T1059.012,T1529]  ESXi VM Kill Via ESXCLI
  T1007_esxi-vm-list-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi VM List Discovery Via ESXCLI
  T1007_esxi-vsan-information-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi VSAN Information Discovery Via ESXCLI
  T1505.004_etw-logging-processing-option-disabled-on-iis-server.txt  [T1505.004,T1685.001]  ETW Logging/Processing Option Disabled On IIS Server
  T1685.001_evtx-created-in-uncommon-location.txt  [T1685.001]  EVTX Created In Uncommon Location
  T1059_elevated-system-shell-spawned.txt  [T1059]  Elevated System Shell Spawned
  enable-bpf-kprobes-tracing.txt  []  Enable BPF Kprobes Tracing
  enable-local-manifest-installation-with-winget.txt  []  Enable Local Manifest Installation With Winget
  T1559.002_enable-microsoft-dynamic-data-exchange.txt  [T1559.002]  Enable Microsoft Dynamic Data Exchange
  T1685_enable-remote-connection-between-anonymous-computer-allowano.txt  [T1685]  Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
  T1021.006_enable-windows-remote-management.txt  [T1021.006]  Enable Windows Remote Management
  T1574.012_enabling-cor-profiler-environment-variables.txt  [T1574.012]  Enabling COR Profiler Environment Variables
  T1528_end-user-consent-blocked.txt  [T1528]  End User Consent Blocked
  T1033_enumerate-all-information-with-whoami-exe.txt  [T1033]  Enumerate All Information With Whoami.EXE
  T1555_enumerate-credentials-from-windows-credential-manager-with-p.txt  [T1555]  Enumerate Credentials from Windows Credential Manager With PowerShell
  T1552.002_enumeration-for-3rd-party-creds-from-cli.txt  [T1552.002]  Enumeration for 3rd Party Creds From CLI
  T1552.002_enumeration-for-credentials-in-registry.txt  [T1552.002]  Enumeration for Credentials in Registry
  T1003_esentutl-gather-credentials.txt  [T1003,T1003.003]  Esentutl Gather Credentials
  T1005_esentutl-steals-browser-information.txt  [T1005]  Esentutl Steals Browser Information
  T1070_eventlog-evtx-file-deleted.txt  [T1070]  EventLog EVTX File Deleted
  T1552_eventlog-query-requests-by-builtin-utilities.txt  [T1552]  EventLog Query Requests By Builtin Utilities
  T1685.005_eventlog-cleared.txt  [T1685.005]  Eventlog Cleared
  T1105_executable-from-webdav.txt  [T1105]  Executable from Webdav
  T1059.001_execute-code-with-pester-bat.txt  [T1059.001,T1216]  Execute Code with Pester.bat
  T1059.001_execute-code-with-pester-bat-as-parent.txt  [T1059.001,T1216]  Execute Code with Pester.bat as Parent
  T1218_execute-files-with-msdeploy-exe.txt  [T1218]  Execute Files with Msdeploy.exe
  T1564.004_execute-from-alternate-data-streams.txt  [T1564.004]  Execute From Alternate Data Streams
  T1021.006_execute-invoke-command-on-remote-host.txt  [T1021.006]  Execute Invoke-command on Remote Host
  T1505.003_execution-from-webserver-root-folder.txt  [T1505.003]  Execution From Webserver Root Folder
  execution-of-script-located-in-potentially-suspicious-direct.txt  []  Execution Of Script Located In Potentially Suspicious Directory
  T1203_exploit-for-cve-2017-0261.txt  [T1203,T1204.002,T1566.001]  Exploit for CVE-2017-0261
  T1036_explorer-process-tree-break.txt  [T1036]  Explorer Process Tree Break
  T1078_external-remote-rdp-logon-from-public-ip.txt  [T1078,T1110,T1133]  External Remote RDP Logon from Public IP
  T1552.001_extracting-information-with-powershell.txt  [T1552.001]  Extracting Information with PowerShell
  T1190_f5-big-ip-icontrol-rest-api-command-execution-proxy.txt  [T1190]  F5 BIG-IP iControl Rest API Command Execution - Proxy
  T1190_f5-big-ip-icontrol-rest-api-command-execution-webserver.txt  [T1190]  F5 BIG-IP iControl Rest API Command Execution - Webserver
  T1048_ftp-connection-open-attempt-via-winscp-cli.txt  [T1048]  FTP Connection Open Attempt Via Winscp CLI
  T1590.002_failed-dns-zone-transfer.txt  [T1590.002]  Failed DNS Zone Transfer
  T1078_failed-logon-from-public-ip.txt  [T1078,T1133,T1190]  Failed Logon From Public IP
  T1003_file-access-of-signal-desktop-sensitive-data.txt  [T1003]  File Access Of Signal Desktop Sensitive Data
  file-decryption-using-gpg4win.txt  []  File Decryption Using Gpg4win
  T1070.004_file-deleted-via-sysinternals-sdelete.txt  [T1070.004]  File Deleted Via Sysinternals SDelete
  T1105_file-download-from-browser-process-via-inline-url.txt  [T1105]  File Download From Browser Process Via Inline URL
  file-download-from-ip-url-via-curl-exe.txt  []  File Download From IP URL Via Curl.EXE
  T1218_file-download-using-protocolhandler-exe.txt  [T1218]  File Download Using ProtocolHandler.exe
  T1036.003_file-download-via-bitsadmin.txt  [T1036.003,T1105,T1197]  File Download Via Bitsadmin
  T1105_file-download-via-curl-exe.txt  [T1105]  File Download Via Curl.EXE
  T1218_file-download-via-installutil-exe.txt  [T1218]  File Download Via InstallUtil.EXE
  T1105_file-download-via-nscurl-macos.txt  [T1105]  File Download Via Nscurl - MacOS
  T1105_file-download-via-certoc-exe.txt  [T1105]  File Download via CertOC.EXE
  T1027_file-encoded-to-base64-via-certutil-exe.txt  [T1027]  File Encoded To Base64 Via Certutil.EXE
  file-encryption-using-gpg4win.txt  []  File Encryption Using Gpg4win
  T1490_file-recovery-from-backup-via-wbadmin-exe.txt  [T1490]  File Recovery From Backup Via Wbadmin.EXE
  T1070.006_file-time-attribute-change.txt  [T1070.006]  File Time Attribute Change
  T1070.006_file-time-attribute-change-linux.txt  [T1070.006]  File Time Attribute Change - Linux
  T1222.001_file-or-folder-permissions-modifications.txt  [T1222.001]  File or Folder Permissions Modifications
  T1036.005_files-with-system-dll-name-in-unsuspected-locations.txt  [T1036.005]  Files With System DLL Name In Unsuspected Locations
  T1036.005_files-with-system-process-name-in-unsuspected-locations.txt  [T1036.005]  Files With System Process Name In Unsuspected Locations
  T1070_filter-driver-unloaded-via-fltmc-exe.txt  [T1070,T1685,T1685.001]  Filter Driver Unloaded Via Fltmc.EXE
  T1027.003_findstr-launching-lnk-file.txt  [T1027.003,T1036,T1202]  Findstr Launching .lnk File
  T1686.003_firewall-disabled-via-netsh-exe.txt  [T1686.003]  Firewall Disabled via Netsh.EXE
  T1686.003_firewall-rule-deleted-via-netsh-exe.txt  [T1686.003]  Firewall Rule Deleted Via Netsh.EXE
  firewall-rule-update-via-netsh-exe.txt  []  Firewall Rule Update Via Netsh.EXE
  T1686_flush-iptables-ufw-chain.txt  [T1686]  Flush Iptables Ufw Chain
  T1074.001_folder-compress-to-potentially-suspicious-output-via-compres.txt  [T1074.001]  Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
  T1685.001_forest-blizzard-apt-javascript-constrained-file-creation.txt  [T1685.001]  Forest Blizzard APT - JavaScript Constrained File Creation
  T1059_forfiles-command-execution.txt  [T1059]  Forfiles Command Execution
  T1685_fortigate-firewall-address-object-added.txt  [T1685]  FortiGate - Firewall Address Object Added
  T1136.001_fortigate-new-administrator-account-created.txt  [T1136.001]  FortiGate - New Administrator Account Created
  T1685_fortigate-new-firewall-policy-added.txt  [T1685]  FortiGate - New Firewall Policy Added
  T1136.001_fortigate-new-local-user-created.txt  [T1136.001]  FortiGate - New Local User Created
  T1133_fortigate-new-vpn-ssl-web-portal-added.txt  [T1133]  FortiGate - New VPN SSL Web Portal Added
  fortigate-user-group-modified.txt  []  FortiGate - User Group Modified
  T1133_fortigate-vpn-ssl-settings-modified.txt  [T1133]  FortiGate - VPN SSL Settings Modified
  T1548.002_function-call-from-undocumented-com-interface-editionupgrade.txt  [T1548.002]  Function Call From Undocumented COM Interface EditionUpgradeManager
  T1098_gcp-access-policy-deleted.txt  [T1098]  GCP Access Policy Deleted
  T1548_gcp-break-glass-container-workload-deployed.txt  [T1548]  GCP Break-glass Container Workload Deployed
  gathernetworkinfo-vbs-reconnaissance-script-output.txt  []  GatherNetworkInfo.VBS Reconnaissance Script Output
  T1033_get-aduser-enumeration-using-useraccountcontrol-flags.txt  [T1033]  Get-ADUser Enumeration Using UserAccountControl Flags
  T1213.003_github-delete-action-invoked.txt  [T1213.003]  Github Delete Action Invoked
  T1020_github-fork-private-repositories-setting-enabled-cleared.txt  [T1020,T1537]  Github Fork Private Repositories Setting Enabled/Cleared
  T1098.001_github-outside-collaborator-detected.txt  [T1098.001,T1098.003,T1213.003]  Github Outside Collaborator Detected
  T1020_github-repository-organization-transferred.txt  [T1020,T1537]  Github Repository/Organization Transferred
  T1078.004_github-ssh-certificate-configuration-changed.txt  [T1078.004]  Github SSH Certificate Configuration Changed
  T1071_github-self-hosted-runner-execution.txt  [T1071,T1102.002]  Github Self-Hosted Runner Execution
  T1219.002_gotoassist-temporary-installation-artefact.txt  [T1219.002]  GoToAssist Temporary Installation Artefact
  google-cloud-dns-zone-modified-or-deleted.txt  []  Google Cloud DNS Zone Modified or Deleted
  T1685_google-cloud-firewall-modified-or-deleted.txt  [T1685]  Google Cloud Firewall Modified or Deleted
  T1078_google-cloud-kubernetes-admission-controller.txt  [T1078,T1552,T1552.007]  Google Cloud Kubernetes Admission Controller
  google-cloud-kubernetes-cronjob.txt  []  Google Cloud Kubernetes CronJob
  google-cloud-kubernetes-rolebinding.txt  []  Google Cloud Kubernetes RoleBinding
  google-cloud-kubernetes-secrets-modified-or-deleted.txt  []  Google Cloud Kubernetes Secrets Modified or Deleted
  T1565_google-cloud-re-identifies-sensitive-information.txt  [T1565]  Google Cloud Re-identifies Sensitive Information
  google-cloud-sql-database-modified-or-deleted.txt  []  Google Cloud SQL Database Modified or Deleted
  T1531_google-cloud-service-account-disabled-or-deleted.txt  [T1531]  Google Cloud Service Account Disabled or Deleted
  google-cloud-service-account-modified.txt  []  Google Cloud Service Account Modified
  google-cloud-storage-buckets-modified-or-deleted.txt  []  Google Cloud Storage Buckets Modified or Deleted
  google-cloud-vpn-tunnel-modified-or-deleted.txt  []  Google Cloud VPN Tunnel Modified or Deleted
  T1074_google-full-network-traffic-packet-capture.txt  [T1074]  Google Full Network Traffic Packet Capture
  T1098.003_google-workspace-application-access-level-modified.txt  [T1098.003]  Google Workspace Application Access Level Modified
  google-workspace-application-removed.txt  []  Google Workspace Application Removed
  T1078_google-workspace-government-attack-warning.txt  [T1078]  Google Workspace Government Attack Warning
  T1098_google-workspace-granted-domain-api-access.txt  [T1098]  Google Workspace Granted Domain API Access
  google-workspace-mfa-disabled.txt  []  Google Workspace MFA Disabled
  T1114.003_google-workspace-out-of-domain-email-forwarding.txt  [T1114.003]  Google Workspace Out Of Domain Email Forwarding
  google-workspace-role-modified-or-deleted.txt  []  Google Workspace Role Modified or Deleted
  google-workspace-role-privilege-deleted.txt  []  Google Workspace Role Privilege Deleted
  T1098_google-workspace-user-granted-admin-privileges.txt  [T1098]  Google Workspace User Granted Admin Privileges
  T1615_gpresult-display-group-policy-information.txt  [T1615]  Gpresult Display Group Policy Information
  T1218_gpscript-execution.txt  [T1218]  Gpscript Execution
  T1098.003_granting-of-permissions-to-an-account.txt  [T1098.003]  Granting Of Permissions To An Account
  T1070.004_greedy-file-deletion-using-del.txt  [T1070.004]  Greedy File Deletion Using Del
  T1531_group-has-been-deleted-via-groupdel.txt  [T1531]  Group Has Been Deleted Via Groupdel
  T1033_group-membership-reconnaissance-via-whoami-exe.txt  [T1033]  Group Membership Reconnaissance Via Whoami.EXE
  T1484.001_group-policy-abuse-for-privilege-addition.txt  [T1484.001]  Group Policy Abuse for Privilege Addition
  T1078.004_guest-user-invited-by-non-approved-inviters.txt  [T1078.004]  Guest User Invited By Non Approved Inviters
  T1078_guest-users-invited-to-tenant-by-non-approved-inviters.txt  [T1078]  Guest Users Invited To Tenant By Non Approved Inviters
  T1132.001_gzip-archive-decode-via-powershell.txt  [T1132.001]  Gzip Archive Decode Via PowerShell
  T1218.001_hh-exe-initiated-http-network-connection.txt  [T1218.001]  HH.EXE Initiated HTTP Network Connection
  T1071.001_http-request-with-empty-user-agent.txt  [T1071.001]  HTTP Request With Empty User Agent
  http-request-to-low-reputation-tld-or-suspicious-file-extens.txt  []  HTTP Request to Low Reputation TLD or Suspicious File Extension
  T1134.001_hacktool-impersonate-execution.txt  [T1134.001,T1134.003]  HackTool - Impersonate Execution
  T1059.003_hacktool-jlaive-in-memory-assembly-execution.txt  [T1059.003]  HackTool - Jlaive In-Memory Assembly Execution
  hacktool-lazagne-execution.txt  []  HackTool - LaZagne Execution
  hacktool-sharpldapmonitor-execution.txt  []  HackTool - SharpLDAPmonitor Execution
  T1021.006_hacktool-winrm-access-via-evil-winrm.txt  [T1021.006]  HackTool - WinRM Access Via Evil-WinRM
  T1047_hardware-model-reconnaissance-via-wmic-exe.txt  [T1047]  Hardware Model Reconnaissance Via Wmic.EXE
  T1040_harvesting-of-wifi-credentials-via-netsh-exe.txt  [T1040]  Harvesting Of Wifi Credentials Via Netsh.EXE
  T1059.001_headless-process-launched-via-conhost-exe.txt  [T1059.001,T1059.003]  Headless Process Launched Via Conhost.EXE
  T1564.004_hidden-executable-in-ntfs-alternate-data-stream.txt  [T1564.004]  Hidden Executable In NTFS Alternate Data Stream
  T1105_hidden-flag-set-on-file-directory-via-chflags-macos.txt  [T1105,T1218,T1552.001,T1564.004]  Hidden Flag Set On File/Directory Via Chflags - MacOS
  T1059.001_hidden-powershell-in-link-file-pattern.txt  [T1059.001]  Hidden Powershell in Link File Pattern
  T1564.002_hidden-user-creation.txt  [T1564.002]  Hidden User Creation
  T1564.001_hiding-files-with-attrib-exe.txt  [T1564.001]  Hiding Files with Attrib.exe
  T1564.002_hiding-user-account-via-specialaccounts-registry-key-command.txt  [T1564.002]  Hiding User Account Via SpecialAccounts Registry Key - CommandLine
  T1137_ie-change-domain-zone.txt  [T1137]  IE Change Domain Zone
  T1505.003_iis-native-code-module-command-line-installation.txt  [T1505.003]  IIS Native-Code Module Command Line Installation
  T1070_iis-webserver-access-logs-deleted.txt  [T1070]  IIS WebServer Access Logs Deleted
  T1070_iis-webserver-log-deletion-via-commandline-utilities.txt  [T1070]  IIS WebServer Log Deletion via CommandLine Utilities
  T1566.001_iso-image-mounted.txt  [T1566.001]  ISO Image Mounted
  T1566.001_iso-or-image-mount-indicator-in-recent-files.txt  [T1566.001]  ISO or Image Mount Indicator in Recent Files
  T1105_import-ldap-data-interchange-format-file-via-ldifde-exe.txt  [T1105,T1218]  Import LDAP Data Interchange Format File Via Ldifde.EXE
  T1059.001_import-powershell-modules-from-suspicious-directories.txt  [T1059.001]  Import PowerShell Modules From Suspicious Directories
  T1059.001_import-powershell-modules-from-suspicious-directories-proccr.txt  [T1059.001]  Import PowerShell Modules From Suspicious Directories - ProcCreation
  T1112_imports-registry-key-from-a-file.txt  [T1112]  Imports Registry Key From a File
  T1114.003_inbox-rules-creation-or-update-activity-via-exchangepowershe.txt  [T1114.003,T1564.008]  Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
  T1114.003_inbox-rules-creation-or-update-activity-in-o365.txt  [T1114.003,T1564.008]  Inbox Rules Creation Or Update Activity in O365
  T1078_increased-failed-authentications-of-any-type.txt  [T1078]  Increased Failed Authentications Of Any Type
  T1685.006_indicator-removal-on-host-clear-mac-system-logs.txt  [T1685.006]  Indicator Removal on Host - Clear Mac System Logs
  T1202_indirect-command-execution-via-sftp-proxycommand.txt  [T1202]  Indirect Command Execution via SFTP ProxyCommand
  T1202_indirect-inline-command-execution-via-bash-exe.txt  [T1202]  Indirect Inline Command Execution Via Bash.EXE
  T1218_infdefaultinstall-exe-inf-execution.txt  [T1218]  InfDefaultInstall.exe .inf Execution
  T1190_ingress-egress-security-group-modification.txt  [T1190]  Ingress/Egress Security Group Modification
  insecure-proxy-doh-transfer-via-curl-exe.txt  []  Insecure Proxy/DOH Transfer Via Curl.EXE
  insecure-transfer-via-curl-exe.txt  []  Insecure Transfer Via Curl.EXE
  T1059_install-new-package-via-winget-local-manifest.txt  [T1059]  Install New Package Via Winget Local Manifest
  T1219.002_installation-of-teamviewer-desktop.txt  [T1219.002]  Installation of TeamViewer Desktop
  T1036_interactive-bash-suspicious-children.txt  [T1036,T1059.004]  Interactive Bash Suspicious Children
  T1547.001_internet-explorer-autorun-keys-modification.txt  [T1547.001]  Internet Explorer Autorun Keys Modification
  internet-explorer-disablefirstruncustomize-enabled.txt  []  Internet Explorer DisableFirstRunCustomize Enabled
  T1027.010_invocation-of-crypto-classes-from-the-cryptography-powershel.txt  [T1027.010,T1059.001]  Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
  T1003.003_invocation-of-active-directory-diagnostic-tool-ntdsutil-exe.txt  [T1003.003]  Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  T1027_invoke-obfuscation-compress-obfuscation.txt  [T1027,T1059.001]  Invoke-Obfuscation COMPRESS OBFUSCATION
  T1027_invoke-obfuscation-compress-obfuscation-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
  T1027_invoke-obfuscation-compress-obfuscation-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
  T1027_invoke-obfuscation-compress-obfuscation-security.txt  [T1027,T1059.001]  Invoke-Obfuscation COMPRESS OBFUSCATION - Security
  T1027_invoke-obfuscation-compress-obfuscation-system.txt  [T1027,T1059.001]  Invoke-Obfuscation COMPRESS OBFUSCATION - System
  T1027_invoke-obfuscation-rundll-launcher-powershell.txt  [T1027,T1059.001]  Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
  T1027_invoke-obfuscation-rundll-launcher-powershell-module.txt  [T1027,T1059.001]  Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
  T1027_invoke-obfuscation-rundll-launcher-security.txt  [T1027,T1059.001]  Invoke-Obfuscation RUNDLL LAUNCHER - Security
  T1027_invoke-obfuscation-rundll-launcher-system.txt  [T1027,T1059.001]  Invoke-Obfuscation RUNDLL LAUNCHER - System
  jamf-mdm-potential-suspicious-child-process.txt  []  JAMF MDM Potential Suspicious Child Process
  T1203_java-running-with-remote-debugging.txt  [T1203]  Java Running with Remote Debugging
  T1553.003_kapeka-backdoor-configuration-persistence.txt  [T1553.003]  Kapeka Backdoor Configuration Persistence
  T1558.003_kerberoasting-activity-initial-query.txt  [T1558.003]  Kerberoasting Activity - Initial Query
  T1558.003_kerberos-network-traffic-rc4-ticket-encryption.txt  [T1558.003]  Kerberos Network Traffic RC4 Ticket Encryption
  T1078_kubernetes-admission-controller-modification.txt  [T1078,T1552,T1552.007]  Kubernetes Admission Controller Modification
  kubernetes-cronjob-job-modification.txt  []  Kubernetes CronJob/Job Modification
  T1070_kubernetes-events-deleted.txt  [T1070]  Kubernetes Events Deleted
  T1609_kubernetes-potential-enumeration-activity.txt  [T1609,T1613]  Kubernetes Potential Enumeration Activity
  kubernetes-rolebinding-modification.txt  []  Kubernetes Rolebinding Modification
  kubernetes-secrets-modified-or-deleted.txt  []  Kubernetes Secrets Modified or Deleted
  T1567_lolbas-data-exfiltration-by-datasvcutil-exe.txt  [T1567]  LOLBAS Data Exfiltration by DataSvcUtil.exe
  T1689_lsa-ppl-protection-setting-modification-via-commandline.txt  [T1689]  LSA PPL Protection Setting Modification via CommandLine
  T1003.001_lsass-access-from-non-system-account.txt  [T1003.001]  LSASS Access From Non System Account
  T1003.001_lsass-access-from-program-in-potentially-suspicious-folder.txt  [T1003.001]  LSASS Access From Program In Potentially Suspicious Folder
  T1543.001_launch-agent-daemon-execution-via-launchctl.txt  [T1543.001,T1543.004,T1569.001]  Launch Agent/Daemon Execution Via Launchctl
  T1216.001_launch-vsdevshell-ps1-proxy-execution.txt  [T1216.001]  Launch-VsDevShell.PS1 Proxy Execution
  T1140_linux-base64-encoded-pipe-to-shell.txt  [T1140]  Linux Base64 Encoded Pipe to Shell
  T1140_linux-base64-encoded-shebang-in-cli.txt  [T1140]  Linux Base64 Encoded Shebang In CLI
  T1548_linux-doas-conf-file-creation.txt  [T1548]  Linux Doas Conf File Creation
  T1685.006_linux-logs-clearing-attempts.txt  [T1685.006]  Linux Logs Clearing Attempts
  T1140_linux-shell-pipe-to-shell.txt  [T1140]  Linux Shell Pipe to Shell
  livekd-driver-creation.txt  []  LiveKD Driver Creation
  T1190_loadbalancer-security-group-modification.txt  [T1190]  LoadBalancer Security Group Modification
  T1003_loaded-module-enumeration-via-tasklist-exe.txt  [T1003]  Loaded Module Enumeration Via Tasklist.EXE
  local-file-read-using-curl-exe.txt  []  Local File Read Using Curl.EXE
  T1105_local-network-connection-initiated-by-script-interpreter.txt  [T1105]  Local Network Connection Initiated By Script Interpreter
  logged-on-user-password-change-via-ksetup-exe.txt  []  Logged-On User Password Change Via Ksetup.EXE
  T1078.004_login-to-disabled-account.txt  [T1078.004]  Login to Disabled Account
  T1078_logon-from-a-risky-ip-address.txt  [T1078]  Logon from a Risky IP Address
  T1218_lolbin-runexehelper-use-as-proxy.txt  [T1218]  Lolbin Runexehelper Use As Proxy
  T1218_lolbin-unregmp2-exe-use-as-proxy.txt  [T1218]  Lolbin Unregmp2.exe Use As Proxy
  T1071.004_low-reputation-effective-top-level-domain-etld.txt  [T1071.004]  Low Reputation Effective Top-Level Domain (eTLD)
  T1047_mitre-bzar-indicators-for-execution.txt  [T1047,T1053.002,T1569.002]  MITRE BZAR Indicators for Execution
  T1547.004_mitre-bzar-indicators-for-persistence.txt  [T1547.004]  MITRE BZAR Indicators for Persistence
  T1059.005_mmc-loading-script-engines-dlls.txt  [T1059.005,T1218.014]  MMC Loading Script Engines DLLs
  T1505.002_msexchange-transport-agent-installation.txt  [T1505.002]  MSExchange Transport Agent Installation
  T1505.002_msexchange-transport-agent-installation-builtin.txt  [T1505.002]  MSExchange Transport Agent Installation - Builtin
  msi-installation-from-suspicious-locations.txt  []  MSI Installation From Suspicious Locations
  T1218_msi-installation-from-web.txt  [T1218,T1218.007]  MSI Installation From Web
  T1485_mssql-destructive-query.txt  [T1485]  MSSQL Destructive Query
  T1110_mssql-server-failed-logon-from-external-network.txt  [T1110]  MSSQL Server Failed Logon From External Network
  T1546.014_macos-emond-launch-daemon.txt  [T1546.014]  MacOS Emond Launch Daemon
  T1059.002_macos-scripting-interpreter-applescript.txt  [T1059.002]  MacOS Scripting Interpreter AppleScript
  T1020_mail-forwarding-redirecting-activity-in-o365.txt  [T1020,T1114.003,T1564.008]  Mail Forwarding/Redirecting Activity In O365
  T1020_mail-forwarding-redirecting-activity-via-exchangepowershell.txt  [T1020,T1114.003,T1564.008]  Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
  T1068_malicious-driver-load-by-name.txt  [T1068,T1543.003]  Malicious Driver Load By Name
  T1218_malicious-pe-execution-by-microsoft-visual-studio-debugger.txt  [T1218]  Malicious PE Execution by Microsoft Visual Studio Debugger
  T1059.001_malicious-powershell-keywords.txt  [T1059.001]  Malicious PowerShell Keywords
  T1136.002_manipulation-of-user-computer-or-group-security-principals-a.txt  [T1136.002]  Manipulation of User Computer or Group Security Principals Across AD
  T1059_manual-execution-of-script-inside-of-a-compressed-file.txt  [T1059]  Manual Execution of Script Inside of a Compressed File
  T1036.003_masquerading-as-linux-crond-process.txt  [T1036.003]  Masquerading as Linux Crond Process
  T1219.002_mesh-agent-service-installation.txt  [T1219.002]  Mesh Agent Service Installation
  T1078_microsoft-365-impossible-travel-activity.txt  [T1078]  Microsoft 365 - Impossible Travel Activity
  T1486_microsoft-365-potential-ransomware-activity.txt  [T1486]  Microsoft 365 - Potential Ransomware Activity
  T1485_microsoft-365-unusual-volume-of-file-deletion.txt  [T1485]  Microsoft 365 - Unusual Volume of File Deletion
  T1199_microsoft-365-user-restricted-from-sending-email.txt  [T1199]  Microsoft 365 - User Restricted from Sending Email
  T1204.002_microsoft-excel-add-in-loaded-from-uncommon-location.txt  [T1204.002]  Microsoft Excel Add-In Loaded From Uncommon Location
  T1112_microsoft-office-trusted-location-updated.txt  [T1112]  Microsoft Office Trusted Location Updated
  T1055_microsoft-sync-center-suspicious-network-connections.txt  [T1055,T1218]  Microsoft Sync Center Suspicious Network Connections
  T1528_microsoft-teams-sensitive-file-access-by-uncommon-applicatio.txt  [T1528]  Microsoft Teams Sensitive File Access By Uncommon Applications
  T1204.002_microsoft-vba-for-outlook-addin-loaded-via-outlook.txt  [T1204.002]  Microsoft VBA For Outlook Addin Loaded Via Outlook
  T1127_microsoft-workflow-compiler-execution.txt  [T1127,T1218]  Microsoft Workflow Compiler Execution
  T1484.001_modify-group-policy-settings.txt  [T1484.001]  Modify Group Policy Settings
  T1484.001_modify-group-policy-settings-scriptblocklogging.txt  [T1484.001]  Modify Group Policy Settings - ScriptBlockLogging
  T1686_modify-system-firewall.txt  [T1686]  Modify System Firewall
  T1053.003_modifying-crontab.txt  [T1053.003]  Modifying Crontab
  T1197_monitoring-for-persistence-via-bits.txt  [T1197]  Monitoring For Persistence Via BITS
  T1564_mount-execution-with-hidepid-parameter.txt  [T1564]  Mount Execution With Hidepid Parameter
  T1105_msiexec-web-install.txt  [T1105,T1218.007]  MsiExec Web Install
  T1218.007_msiexec-quiet-installation.txt  [T1218.007]  Msiexec Quiet Installation
  T1220_msxsl-exe-execution.txt  [T1220]  Msxsl.EXE Execution
  multi-factor-authentication-disabled-for-user-account.txt  []  Multi Factor Authentication Disabled For User Account
  T1078.004_multifactor-authentication-denied.txt  [T1078.004,T1110,T1621]  Multifactor Authentication Denied
  T1078.004_multifactor-authentication-interrupted.txt  [T1078.004,T1110,T1621]  Multifactor Authentication Interrupted
  T1110_ntlm-brute-force.txt  [T1110]  NTLM Brute Force
  T1550.002_ntlmv1-logon-between-client-and-server.txt  [T1550.002]  NTLMv1 Logon Between Client and Server
  netsupport-manager-service-install.txt  []  NetSupport Manager Service Install
  T1059.001_netcat-the-powershell-version.txt  [T1059.001,T1095]  Netcat The Powershell Version
  T1686.003_netsh-allow-group-policy-on-microsoft-defender-firewall.txt  [T1686.003]  Netsh Allow Group Policy on Microsoft Defender Firewall
  T1041_network-communication-initiated-to-portmap-io-domain.txt  [T1041,T1090.002]  Network Communication Initiated To Portmap.IO Domain
  T1218.010_network-connection-initiated-by-regsvr32-exe.txt  [T1218.010,T1559.001]  Network Connection Initiated By Regsvr32.EXE
  T1105_network-connection-initiated-from-users-public-folder.txt  [T1105]  Network Connection Initiated From Users\Public Folder
  T1567_network-connection-initiated-to-btunnels-domains.txt  [T1567,T1572]  Network Connection Initiated To BTunnels Domains
  T1567_network-connection-initiated-to-cloudflared-tunnels-domains.txt  [T1567,T1572]  Network Connection Initiated To Cloudflared Tunnels Domains
  T1567.001_network-connection-initiated-to-devtunnels-domain.txt  [T1567.001,T1572]  Network Connection Initiated To DevTunnels Domain
  T1567_network-connection-initiated-to-visual-studio-code-tunnels-d.txt  [T1567,T1572]  Network Connection Initiated To Visual Studio Code Tunnels Domain
  new-aws-lambda-function-url-configuration-created.txt  []  New AWS Lambda Function URL Configuration Created
  T1112_new-bginfo-exe-custom-db-path-registry-configuration.txt  [T1112]  New BgInfo.EXE Custom DB Path Registry Configuration
  T1112_new-bginfo-exe-custom-vbscript-registry-configuration.txt  [T1112]  New BgInfo.EXE Custom VBScript Registry Configuration
  T1112_new-bginfo-exe-custom-wmi-query-registry-configuration.txt  [T1112]  New BgInfo.EXE Custom WMI Query Registry Configuration
  T1548_new-ca-policy-by-non-approved-actor.txt  [T1548]  New CA Policy by Non-approved Actor
  T1218_new-capture-session-launched-via-dxcap-exe.txt  [T1218]  New Capture Session Launched Via DXCap.EXE
  T1547.009_new-custom-shim-database-created.txt  [T1547.009]  New Custom Shim Database Created
  T1546.009_new-dll-added-to-appcertdlls-registry-key.txt  [T1546.009]  New DLL Added to AppCertDlls Registry Key
  T1546.010_new-dll-added-to-appinit-dlls-registry-key.txt  [T1546.010]  New DLL Added to AppInit_DLLs Registry Key
  T1218.008_new-dll-registered-via-odbcconf-exe.txt  [T1218.008]  New DLL Registered Via Odbcconf.EXE
  T1078.002_new-dmsa-service-account-created-in-specific-ous.txt  [T1078.002,T1098]  New DMSA Service Account Created in Specific OUs
  T1484.002_new-federated-domain-added.txt  [T1484.002]  New Federated Domain Added
  T1136.003_new-federated-domain-added-exchange.txt  [T1136.003]  New Federated Domain Added - Exchange
  T1490_new-file-exclusion-added-to-time-machine-via-tmutil-macos.txt  [T1490]  New File Exclusion Added To Time Machine Via Tmutil - MacOS
  T1686.003_new-firewall-rule-added-in-windows-firewall-exception-list-v.txt  [T1686.003]  New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
  T1686.003_new-firewall-rule-added-via-netsh-exe.txt  [T1686.003]  New Firewall Rule Added Via Netsh.EXE
  T1003.005_new-generic-credentials-added-via-cmdkey-exe.txt  [T1003.005]  New Generic Credentials Added Via Cmdkey.EXE
  T1543.003_new-kernel-driver-via-sc-exe.txt  [T1543.003]  New Kernel Driver Via SC.EXE
  T1505.004_new-module-module-added-to-iis-server.txt  [T1505.004,T1685.001]  New Module Module Added To IIS Server
  T1686.001_new-network-route-added.txt  [T1686.001]  New Network Route Added
  T1040_new-network-trace-capture-started-via-netsh-exe.txt  [T1040]  New Network Trace Capture Started Via Netsh.EXE
  T1008_new-outlook-macro-created.txt  [T1008,T1137,T1546]  New Outlook Macro Created
  T1543.003_new-pdqdeploy-service-client-side.txt  [T1543.003]  New PDQDeploy Service - Client Side
  T1543.003_new-pdqdeploy-service-server-side.txt  [T1543.003]  New PDQDeploy Service - Server Side
  T1090_new-port-forwarding-rule-added-via-netsh-exe.txt  [T1090]  New Port Forwarding Rule Added Via Netsh.EXE
  T1090_new-portproxy-registry-entry-added.txt  [T1090]  New PortProxy Registry Entry Added
  T1047_new-process-created-via-wmic-exe.txt  [T1047]  New Process Created Via Wmic.EXE
  T1021.001_new-remote-desktop-connection-initiated-via-mstsc-exe.txt  [T1021.001]  New Remote Desktop Connection Initiated Via Mstsc.EXE
  T1556_new-root-certificate-authority-added.txt  [T1556]  New Root Certificate Authority Added
  T1553.004_new-root-certificate-installed-via-certmgr-exe.txt  [T1553.004]  New Root Certificate Installed Via CertMgr.EXE
  T1553.004_new-root-certificate-installed-via-certutil-exe.txt  [T1553.004]  New Root Certificate Installed Via Certutil.EXE
  T1490_new-root-or-ca-or-authroot-certificate-to-store.txt  [T1490]  New Root or CA or AuthRoot Certificate to Store
  T1218_new-self-extracting-package-created-via-iexpress-exe.txt  [T1218]  New Self Extracting Package Created Via IExpress.EXE
  T1136.001_new-user-created-via-net-exe.txt  [T1136.001]  New User Created Via Net.EXE
  new-virtual-smart-card-created-via-tpmvscmgr-exe.txt  []  New Virtual Smart Card Created Via TpmVscMgr.EXE
  T1036_new-or-renamed-user-account-with-character.txt  [T1036]  New or Renamed User Account with '$' Character
  T1059.007_node-process-executions.txt  [T1059.007,T1127]  Node Process Executions
  T1059.004_nohup-execution.txt  [T1059.004]  Nohup Execution
  T1195.002_notepad-updater-dns-query-to-uncommon-domains.txt  [T1195.002,T1557]  Notepad++ Updater DNS Query to Uncommon Domains
  T1059.001_nslookup-powershell-download-cradle.txt  [T1059.001]  Nslookup PowerShell Download Cradle
  nslookup-powershell-download-cradle-processcreation.txt  []  Nslookup PowerShell Download Cradle - ProcessCreation
  T1003.003_ntdsutil-abuse.txt  [T1003.003]  Ntdsutil Abuse
  T1098_number-of-resource-creation-or-deployment-activities.txt  [T1098]  Number Of Resource Creation Or Deployment Activities
  obfuscated-ip-download-activity.txt  []  Obfuscated IP Download Activity
  obfuscated-ip-via-cli.txt  []  Obfuscated IP Via CLI
  office-application-initiated-network-connection-over-uncommo.txt  []  Office Application Initiated Network Connection Over Uncommon Ports
  T1203_office-application-initiated-network-connection-to-non-local.txt  [T1203]  Office Application Initiated Network Connection To Non-Local IP
  T1137.002_office-application-startup-office-test.txt  [T1137.002]  Office Application Startup - Office Test
  okta-2023-breach-indicator-of-compromise.txt  []  Okta 2023 Breach Indicator Of Compromise
  okta-api-token-created.txt  []  Okta API Token Created
  okta-api-token-revoked.txt  []  Okta API Token Revoked
  okta-admin-functions-access-through-proxy.txt  []  Okta Admin Functions Access Through Proxy
  T1098.003_okta-admin-role-assigned-to-an-user-or-group.txt  [T1098.003]  Okta Admin Role Assigned to an User or Group
  okta-admin-role-assignment-created.txt  []  Okta Admin Role Assignment Created
  okta-application-modified-or-deleted.txt  []  Okta Application Modified or Deleted
  okta-application-sign-on-policy-modified-or-deleted.txt  []  Okta Application Sign-On Policy Modified or Deleted
  T1098.001_okta-identity-provider-created.txt  [T1098.001]  Okta Identity Provider Created
  T1556.006_okta-mfa-reset-or-deactivated.txt  [T1556.006]  Okta MFA Reset or Deactivated
  okta-network-zone-deactivated-or-deleted.txt  []  Okta Network Zone Deactivated or Deleted
  okta-policy-rule-modified-or-deleted.txt  []  Okta Policy Rule Modified or Deleted
  okta-security-threat-detected.txt  []  Okta Security Threat Detected
  okta-unauthorized-access-to-app.txt  []  Okta Unauthorized Access to App
  T1531_okta-user-account-locked-out.txt  [T1531]  Okta User Account Locked Out
  old-tls1-0-tls1-1-protocol-version-enabled.txt  []  Old TLS1.0/TLS1.1 Protocol Version Enabled
  onenote-attachment-file-dropped-in-suspicious-location.txt  []  OneNote Attachment File Dropped In Suspicious Location
  T1021.004_openedr-spawning-command-shell.txt  [T1021.004,T1059.003,T1219]  OpenEDR Spawning Command Shell
  T1021.004_openssh-server-listening-on-socket.txt  [T1021.004]  OpenSSH Server Listening On Socket
  T1059.002_osacompile-execution-by-potentially-suspicious-applet-osascr.txt  [T1059.002]  Osacompile Execution By Potentially Suspicious Applet/Osascript
  T1218.011_outbound-network-connection-to-public-ip-via-winlogon.txt  [T1218.011]  Outbound Network Connection To Public IP Via Winlogon
  T1137_outlook-security-settings-updated-registry.txt  [T1137]  Outlook Security Settings Updated - Registry
  T1569.002_paexec-service-installation.txt  [T1569.002]  PAExec Service Installation
  T1072_pdq-deploy-remote-adminstartion-tool-execution.txt  [T1072]  PDQ Deploy Remote Adminstartion Tool Execution
  psscriptpolicytest-creation-by-uncommon-process.txt  []  PSScriptPolicyTest Creation By Uncommon Process
  T1114_pst-export-alert-using-new-compliancesearchaction.txt  [T1114]  PST Export Alert Using New-ComplianceSearchAction
  T1114_pst-export-alert-using-ediscovery-alert.txt  [T1114]  PST Export Alert Using eDiscovery Alert
  T1003_pua-aws-trufflehog-execution.txt  [T1003,T1555]  PUA - AWS TruffleHog Execution
  T1087.002_pua-adfind-exe-execution.txt  [T1087.002]  PUA - AdFind.EXE Execution
  T1046_pua-advanced-ip-scanner-execution.txt  [T1046,T1135]  PUA - Advanced IP Scanner Execution
  T1590_pua-advanced-ip-port-scanner-update-check.txt  [T1590]  PUA - Advanced IP/Port Scanner Update Check
  T1046_pua-advanced-port-scanner-execution.txt  [T1046,T1135]  PUA - Advanced Port Scanner Execution
  T1059.003_pua-advancedrun-execution.txt  [T1059.003,T1134.002,T1564.003]  PUA - AdvancedRun Execution
  T1021.002_pua-csexec-default-named-pipe.txt  [T1021.002,T1569.002]  PUA - CSExec Default Named Pipe
  T1056.002_pua-mouse-lock-execution.txt  [T1056.002]  PUA - Mouse Lock Execution
  T1046_pua-nimscan-execution.txt  [T1046]  PUA - NimScan Execution
  T1569.002_pua-nircmd-execution.txt  [T1569.002]  PUA - NirCmd Execution
  T1046_pua-nmap-zenmap-execution.txt  [T1046]  PUA - Nmap/Zenmap Execution
  T1569.002_pua-paexec-default-named-pipe.txt  [T1569.002]  PUA - PAExec Default Named Pipe
  T1595_pua-pingcastle-execution.txt  [T1595]  PUA - PingCastle Execution
  T1027_pua-potential-pe-metadata-tamper-using-rcedit.txt  [T1027,T1027.005,T1036,T1036.003]  PUA - Potential PE Metadata Tamper Using Rcedit
  T1543_pua-process-hacker-execution.txt  [T1543,T1564,T1622]  PUA - Process Hacker Execution
  T1072_pua-radmin-viewer-utility-execution.txt  [T1072]  PUA - Radmin Viewer Utility Execution
  T1021.002_pua-remcom-default-named-pipe.txt  [T1021.002,T1569.002]  PUA - RemCom Default Named Pipe
  T1046_pua-softperfect-netscan-execution.txt  [T1046]  PUA - SoftPerfect Netscan Execution
  T1588.002_pua-sysinternals-tools-execution-registry.txt  [T1588.002]  PUA - Sysinternals Tools Execution - Registry
  T1543_pua-system-informer-driver-load.txt  [T1543]  PUA - System Informer Driver Load
  T1082_pua-system-informer-execution.txt  [T1082,T1543,T1564]  PUA - System Informer Execution
  T1083_pua-trufflehog-execution.txt  [T1083,T1552.001]  PUA - TruffleHog Execution
  T1083_pua-trufflehog-execution-linux.txt  [T1083,T1552.001]  PUA - TruffleHog Execution - Linux
  T1555.003_pua-webbrowserpassview-execution.txt  [T1555.003]  PUA - WebBrowserPassView Execution
  T1550.002_pass-the-hash-activity-2.txt  [T1550.002]  Pass the Hash Activity 2
  T1201_password-policy-enumerated.txt  [T1201]  Password Policy Enumerated
  T1027_password-protected-zip-file-opened.txt  [T1027]  Password Protected ZIP File Opened
  T1021.002_password-provided-in-command-line-of-net-exe.txt  [T1021.002,T1078]  Password Provided In Command Line Of Net.EXE
  T1078.004_password-reset-by-user-account.txt  [T1078.004]  Password Reset By User Account
  T1047_password-set-to-never-expire-via-wmi.txt  [T1047,T1098]  Password Set to Never Expire via WMI
  T1546.002_path-to-screensaver-binary-modified.txt  [T1546.002]  Path To Screensaver Binary Modified
  T1190_path-traversal-exploitation-attempts.txt  [T1190]  Path Traversal Exploitation Attempts
  T1059_payload-decoded-and-decrypted-via-built-in-utilities.txt  [T1059,T1140,T1204]  Payload Decoded and Decrypted via Built-in Utilities
  T1113_periodic-backup-for-system-registry-hives-enabled.txt  [T1113]  Periodic Backup For System Registry Hives Enabled
  T1059_perl-inline-command-execution.txt  [T1059]  Perl Inline Command Execution
  T1069.001_permission-check-via-accesschk-exe.txt  [T1069.001]  Permission Check Via Accesschk.EXE
  T1552.006_permission-misconfiguration-reconnaissance-via-findstr-exe.txt  [T1552.006]  Permission Misconfiguration Reconnaissance Via Findstr.EXE
  persistence-via-disk-cleanup-handler-autorun.txt  []  Persistence Via Disk Cleanup Handler - Autorun
  T1553.003_persistence-via-new-sip-provider.txt  [T1553.003]  Persistence Via New SIP Provider
  T1548.003_persistence-via-sudoers-d-files.txt  [T1548.003]  Persistence Via Sudoers.d Files
  persistence-via-typedpaths-commandline.txt  []  Persistence Via TypedPaths - CommandLine
  T1059_php-inline-command-execution.txt  [T1059]  Php Inline Command Execution
  T1040_pktmon-exe-execution.txt  [T1040]  PktMon.EXE Execution
  T1046_pnscan-binary-data-transmission-activity.txt  [T1046]  Pnscan Binary Data Transmission Activity
  T1021.001_port-forwarding-activity-via-ssh-exe.txt  [T1021.001,T1021.004,T1572]  Port Forwarding Activity Via SSH.EXE
  T1486_portable-gpg-exe-execution.txt  [T1486]  Portable Gpg.EXE Execution
  T1207_possible-dc-shadow-attack.txt  [T1207]  Possible DC Shadow Attack
  possible-printnightmare-print-driver-install-cve-2021-1675.txt  []  Possible PrintNightmare Print Driver Install - CVE-2021-1675
  T1087.002_potential-ad-user-enumeration-from-non-machine-account.txt  [T1087.002]  Potential AD User Enumeration From Non-Machine Account
  T1685_potential-amsi-bypass-script-using-null-bits.txt  [T1685]  Potential AMSI Bypass Script Using NULL Bits
  T1685_potential-amsi-bypass-using-null-bits.txt  [T1685]  Potential AMSI Bypass Using NULL Bits
  T1059.001_potential-apt-fin7-exploitation-activity.txt  [T1059.001,T1059.003]  Potential APT FIN7 Exploitation Activity
  T1218.010_potential-apt-c-12-bluemushroom-dll-load-activity-via-regsvr.txt  [T1218.010]  Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
  potential-as-rep-roasting-via-kerberos-tgt-requests.txt  []  Potential AS-REP Roasting via Kerberos TGT Requests
  T1574.001_potential-avkkid-dll-sideloading.txt  [T1574.001]  Potential AVKkid.DLL Sideloading
  T1059.004_potential-abuse-of-linux-magic-system-request-key.txt  [T1059.004,T1489,T1499,T1529]  Potential Abuse of Linux Magic System Request Key
  T1134.001_potential-access-token-abuse.txt  [T1134.001]  Potential Access Token Abuse
  potential-active-directory-enumeration-using-ad-module-procc.txt  []  Potential Active Directory Enumeration Using AD Module - ProcCreation
  potential-active-directory-enumeration-using-ad-module-psmod.txt  []  Potential Active Directory Enumeration Using AD Module - PsModule
  potential-active-directory-enumeration-using-ad-module-psscr.txt  []  Potential Active Directory Enumeration Using AD Module - PsScript
  T1069.002_potential-active-directory-reconnaissance-enumeration-via-ld.txt  [T1069.002,T1087.002,T1482]  Potential Active Directory Reconnaissance/Enumeration Via LDAP
  T1219.002_potential-amazon-ssm-agent-hijacking.txt  [T1219.002]  Potential Amazon SSM Agent Hijacking
  T1574.001_potential-antivirus-software-dll-sideloading.txt  [T1574.001]  Potential Antivirus Software DLL Sideloading
  T1027.004_potential-application-whitelisting-bypass-via-dnx-exe.txt  [T1027.004,T1218]  Potential Application Whitelisting Bypass via Dnx.EXE
  T1059_potential-arbitrary-command-execution-via-ftp-exe.txt  [T1059,T1202]  Potential Arbitrary Command Execution Via FTP.EXE
  T1202_potential-arbitrary-dll-load-using-winword.txt  [T1202]  Potential Arbitrary DLL Load Using Winword
  T1202_potential-arbitrary-file-download-via-cmdl32-exe.txt  [T1202,T1218]  Potential Arbitrary File Download Via Cmdl32.EXE
  T1071.001_potential-base64-encoded-user-agent.txt  [T1071.001]  Potential Base64 Encoded User-Agent
  potential-binary-or-script-dropper-via-powershell.txt  []  Potential Binary Or Script Dropper Via PowerShell
  T1106_potential-binary-proxy-execution-via-cdb-exe.txt  [T1106,T1127,T1218]  Potential Binary Proxy Execution Via Cdb.EXE
  T1218_potential-binary-proxy-execution-via-vsdiagnostics-exe.txt  [T1218]  Potential Binary Proxy Execution Via VSDiagnostics.EXE
  T1555.003_potential-browser-data-stealing.txt  [T1555.003]  Potential Browser Data Stealing
  T1574.001_potential-ccleanerdu-dll-sideloading.txt  [T1574.001]  Potential CCleanerDU.DLL Sideloading
  T1574.001_potential-ccleanerreactivator-dll-sideloading.txt  [T1574.001]  Potential CCleanerReactivator.DLL Sideloading
  T1546.015_potential-com-object-hijacking-via-treatas-subkey-registry.txt  [T1546.015]  Potential COM Object Hijacking Via TreatAs Subkey - Registry
  T1105_potential-com-objects-download-cradles-usage-ps-script.txt  [T1105]  Potential COM Objects Download Cradles Usage - PS Script
  T1105_potential-com-objects-download-cradles-usage-process-creatio.txt  [T1105]  Potential COM Objects Download Cradles Usage - Process Creation
  T1190_potential-cve-2021-27905-exploitation-attempt.txt  [T1190]  Potential CVE-2021-27905 Exploitation Attempt
  T1558.003_potential-cve-2021-42278-exploitation-attempt.txt  [T1558.003]  Potential CVE-2021-42278 Exploitation Attempt
  T1558.003_potential-cve-2021-42287-exploitation-attempt.txt  [T1558.003]  Potential CVE-2021-42287 Exploitation Attempt
  T1059.006_potential-cve-2022-22954-exploitation-attempt-vmware-workspa.txt  [T1059.006,T1190]  Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
  T1190_potential-cve-2023-2283-exploitation.txt  [T1190]  Potential CVE-2023-2283 Exploitation
  potential-cve-2023-23397-exploitation-attempt-smb.txt  []  Potential CVE-2023-23397 Exploitation Attempt - SMB
  T1190_potential-cve-2023-27997-exploitation-indicators.txt  [T1190]  Potential CVE-2023-27997 Exploitation Indicators
  potential-cve-2023-36874-exploitation-uncommon-report-wer-lo.txt  []  Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
  potential-cve-2023-36884-exploitation-file-downloads.txt  []  Potential CVE-2023-36884 Exploitation - File Downloads
  potential-cve-2023-36884-exploitation-dropped-file.txt  []  Potential CVE-2023-36884 Exploitation Dropped File
  T1210_potential-cve-2023-46214-exploitation-attempt.txt  [T1210]  Potential CVE-2023-46214 Exploitation Attempt
  potential-cve-2024-3400-exploitation-palo-alto-globalprotect_2.txt  []  Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
  T1068_potential-cve-2024-35250-exploitation-activity.txt  [T1068]  Potential CVE-2024-35250 Exploitation Activity
  T1574.001_potential-chrome-frame-helper-dll-sideloading.txt  [T1574.001]  Potential Chrome Frame Helper DLL Sideloading
  T1036_potential-command-line-path-traversal-evasion-attempt.txt  [T1036]  Potential Command Line Path Traversal Evasion Attempt
  T1027_potential-commandline-obfuscation-using-unicode-characters.txt  [T1027]  Potential CommandLine Obfuscation Using Unicode Characters
  T1140_potential-commandline-obfuscation-using-escape-characters.txt  [T1140]  Potential Commandline Obfuscation Using Escape Characters
  T1007_potential-configuration-and-service-reconnaissance-via-reg-e.txt  [T1007,T1012]  Potential Configuration And Service Reconnaissance Via Reg.EXE
  potential-cookies-session-hijacking.txt  []  Potential Cookies Session Hijacking
  T1003.001_potential-credential-dumping-activity-via-lsass.txt  [T1003.001]  Potential Credential Dumping Activity Via LSASS
  T1003_potential-credential-dumping-attempt-using-new-networkprovid_2.txt  [T1003]  Potential Credential Dumping Attempt Using New NetworkProvider - REG
  T1003.001_potential-credential-dumping-attempt-via-powershell.txt  [T1003.001]  Potential Credential Dumping Attempt Via PowerShell
  T1059.001_potential-dll-file-download-via-powershell-invoke-webrequest.txt  [T1059.001,T1105]  Potential DLL File Download Via PowerShell Invoke-WebRequest
  T1055.001_potential-dll-injection-or-execution-using-tracker-exe.txt  [T1055.001]  Potential DLL Injection Or Execution Using Tracker.exe
  potential-dll-injection-via-acccheckconsole.txt  []  Potential DLL Injection Via AccCheckConsole
  T1218_potential-dll-sideloading-activity-via-extexport-exe.txt  [T1218]  Potential DLL Sideloading Activity Via ExtExport.EXE
  T1574.001_potential-dll-sideloading-of-dbgcore-dll.txt  [T1574.001]  Potential DLL Sideloading Of DBGCORE.DLL
  T1574.001_potential-dll-sideloading-of-dbghelp-dll.txt  [T1574.001]  Potential DLL Sideloading Of DBGHELP.DLL
  T1574.001_potential-dll-sideloading-of-dbgmodel-dll.txt  [T1574.001]  Potential DLL Sideloading Of DbgModel.DLL
  T1574.001_potential-dll-sideloading-of-libcurl-dll-via-gup-exe.txt  [T1574.001]  Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
  T1574.001_potential-dll-sideloading-of-mpsvc-dll.txt  [T1574.001]  Potential DLL Sideloading Of MpSvc.DLL
  T1574.001_potential-dll-sideloading-of-mscorsvc-dll.txt  [T1574.001]  Potential DLL Sideloading Of MsCorSvc.DLL
  T1055_potential-dll-sideloading-using-coregen-exe.txt  [T1055,T1218]  Potential DLL Sideloading Using Coregen.exe
  T1574.001_potential-dll-sideloading-via-classicexplorer32-dll.txt  [T1574.001]  Potential DLL Sideloading Via ClassicExplorer32.dll
  T1574.001_potential-dll-sideloading-via-deviceenroller-exe.txt  [T1574.001]  Potential DLL Sideloading Via DeviceEnroller.EXE
  T1574.001_potential-dll-sideloading-via-jsschhlp.txt  [T1574.001]  Potential DLL Sideloading Via JsSchHlp
  T1048.003_potential-data-exfiltration-over-smtp-via-send-mailmessage-c.txt  [T1048.003]  Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
  potential-data-exfiltration-via-audio-file.txt  []  Potential Data Exfiltration Via Audio File
  T1105_potential-data-exfiltration-via-curl-exe.txt  [T1105,T1567]  Potential Data Exfiltration Via Curl.EXE
  T1036.003_potential-defense-evasion-via-binary-rename.txt  [T1036.003]  Potential Defense Evasion Via Binary Rename
  T1106_potential-direct-syscall-of-ntopenprocess.txt  [T1106]  Potential Direct Syscall of NtOpenProcess
  T1083_potential-discovery-activity-using-find-linux.txt  [T1083]  Potential Discovery Activity Using Find - Linux
  T1083_potential-discovery-activity-using-find-macos.txt  [T1083]  Potential Discovery Activity Using Find - MacOS
  potential-discovery-activity-via-dnscmd-exe.txt  []  Potential Discovery Activity Via Dnscmd.EXE
  T1059_potential-dosfuscation-activity.txt  [T1059]  Potential Dosfuscation Activity
  T1105_potential-download-upload-activity-using-type-command.txt  [T1105]  Potential Download/Upload Activity Using Type Command
  T1059.005_potential-dropper-script-execution-via-wscript-cscript-mshta.txt  [T1059.005,T1059.007]  Potential Dropper Script Execution Via WScript/CScript/MSHTA
  potential-encrypted-registry-blob-related-to-snake-malware.txt  []  Potential Encrypted Registry Blob Related To SNAKE Malware
  T1003_potential-exploitation-of-cve-2025-5054-or-cve-2025-4598.txt  [T1003,T1548]  Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
  T1036_potential-fake-instance-of-hxtsr-exe-executed.txt  [T1036]  Potential Fake Instance Of Hxtsr.EXE Executed
  T1218_potential-file-download-via-ms-appinstaller-protocol-handler.txt  [T1218]  Potential File Download Via MS-AppInstaller Protocol Handler
  T1574.001_potential-goopdate-dll-sideloading.txt  [T1574.001]  Potential Goopdate.DLL Sideloading
  T1595_potential-hello-world-scraper-botnet-activity.txt  [T1595]  Potential Hello-World Scraper Botnet Activity
  T1564.004_potential-hidden-directory-creation-via-ntfs-index-allocatio.txt  [T1564.004]  Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
  T1564.004_potential-hidden-directory-creation-via-ntfs-index-allocatio_2.txt  [T1564.004]  Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
  T1036_potential-homoglyph-attack-using-lookalike-characters.txt  [T1036,T1036.003]  Potential Homoglyph Attack Using Lookalike Characters
  T1036_potential-homoglyph-attack-using-lookalike-characters-in-fil.txt  [T1036,T1036.003]  Potential Homoglyph Attack Using Lookalike Characters in Filename
  T1059.007_potential-in-memory-download-and-compile-of-payloads.txt  [T1059.007,T1105]  Potential In-Memory Download And Compile Of Payloads
  T1620_potential-in-memory-execution-using-reflection-assembly.txt  [T1620]  Potential In-Memory Execution Using Reflection.Assembly
  T1566_potential-initial-access-via-dll-search-order-hijacking.txt  [T1566,T1566.001,T1574,T1574.001]  Potential Initial Access via DLL Search Order Hijacking
  T1059_potential-kamikakabot-activity-lure-document-execution.txt  [T1059]  Potential KamiKakaBot Activity - Lure Document Execution
  potential-kamikakabot-activity-shutdown-schedule-task-creati.txt  []  Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
  T1056.001_potential-keylogger-activity.txt  [T1056.001]  Potential Keylogger Activity
  T1021.006_potential-lateral-movement-via-windows-remote-shell.txt  [T1021.006]  Potential Lateral Movement via Windows Remote Shell
  T1574.001_potential-libvlc-dll-sideloading.txt  [T1574.001]  Potential Libvlc.DLL Sideloading
  T1219.002_potential-linux-amazon-ssm-agent-hijacking.txt  [T1219.002]  Potential Linux Amazon SSM Agent Hijacking
  T1055.009_potential-linux-process-code-injection-via-dd-utility.txt  [T1055.009]  Potential Linux Process Code Injection Via DD Utility
  T1059_potential-moveit-transfer-cve-2023-34362-exploitation-dynami.txt  [T1059]  Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
  potential-malicious-appx-package-installation-attempts.txt  []  Potential Malicious AppX Package Installation Attempts
  potential-memory-dumping-activity-via-livekd.txt  []  Potential Memory Dumping Activity Via LiveKD
  T1574.001_potential-mfdetours-dll-sideloading.txt  [T1574.001]  Potential Mfdetours.DLL Sideloading
  T1127_potential-mftrace-exe-abuse.txt  [T1127]  Potential Mftrace.EXE Abuse
  T1040_potential-network-sniffing-activity-using-network-tools.txt  [T1040]  Potential Network Sniffing Activity Using Network Tools
  T1027.010_potential-obfuscated-ordinal-call-via-rundll32.txt  [T1027.010]  Potential Obfuscated Ordinal Call Via Rundll32
  T1040_potential-packet-capture-activity-via-start-neteventsession.txt  [T1040]  Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
  T1552.001_potential-password-reconnaissance-via-findstr-exe.txt  [T1552.001]  Potential Password Reconnaissance Via Findstr.EXE
  T1218_potential-password-spraying-attempt-using-dsacls-exe.txt  [T1218]  Potential Password Spraying Attempt Using Dsacls.EXE
  potential-peach-sandstorm-apt-c2-communication-activity.txt  []  Potential Peach Sandstorm APT C2 Communication Activity
  T1036.003_potential-pendingfilerenameoperations-tampering.txt  [T1036.003]  Potential PendingFileRenameOperations Tampering
  potential-persistence-attempt-via-errorhandler-cmd.txt  []  Potential Persistence Attempt Via ErrorHandler.Cmd
  T1543.003_potential-persistence-attempt-via-existing-service-tampering.txt  [T1543.003,T1574.011]  Potential Persistence Attempt Via Existing Service Tampering
  T1547.001_potential-persistence-attempt-via-run-keys-using-reg-exe.txt  [T1547.001]  Potential Persistence Attempt Via Run Keys Using Reg.EXE
  T1546.015_potential-persistence-using-debugpath.txt  [T1546.015]  Potential Persistence Using DebugPath
  T1546.011_potential-persistence-via-appcompat-registerapprestart-layer.txt  [T1546.011]  Potential Persistence Via AppCompat RegisterAppRestart Layer
  T1112_potential-persistence-via-custom-protocol-handler.txt  [T1112]  Potential Persistence Via Custom Protocol Handler
  potential-persistence-via-disk-cleanup-handler-registry.txt  []  Potential Persistence Via Disk Cleanup Handler - Registry
  T1112_potential-persistence-via-event-viewer-events-asp.txt  [T1112]  Potential Persistence Via Event Viewer Events.asp
  T1037.001_potential-persistence-via-logon-scripts-registry.txt  [T1037.001]  Potential Persistence Via Logon Scripts - Registry
  T1053.005_potential-persistence-via-microsoft-compatibility-appraiser.txt  [T1053.005]  Potential Persistence Via Microsoft Compatibility Appraiser
  T1546.007_potential-persistence-via-netsh-helper-dll.txt  [T1546.007]  Potential Persistence Via Netsh Helper DLL
  T1546.007_potential-persistence-via-netsh-helper-dll-registry.txt  [T1546.007]  Potential Persistence Via Netsh Helper DLL - Registry
  potential-persistence-via-new-amsi-providers-registry.txt  []  Potential Persistence Via New AMSI Providers - Registry
  potential-persistence-via-notepad-plugins.txt  []  Potential Persistence Via Notepad++ Plugins
  T1546.013_potential-persistence-via-powershell-user-profile-using-add.txt  [T1546.013]  Potential Persistence Via PowerShell User Profile Using Add-Content
  T1546.015_potential-persistence-via-scrobj-dll-com-hijacking.txt  [T1546.015]  Potential Persistence Via Scrobj.dll COM Hijacking
  T1059_potential-persistence-via-vmwaretoolboxcmd-exe-vm-state-chan.txt  [T1059]  Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
  T1137.006_potential-persistence-via-visual-studio-tools-for-office.txt  [T1137.006]  Potential Persistence Via Visual Studio Tools for Office
  T1187_potential-petitpotam-attack-via-efs-rpc-calls.txt  [T1187,T1557.001]  Potential PetitPotam Attack Via EFS RPC Calls
  T1059.003_potential-pikabot-infection-suspicious-command-combinations.txt  [T1059.003,T1105,T1218]  Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
  T1552.001_potential-powershell-console-history-access-attempt-via-hist.txt  [T1552.001]  Potential PowerShell Console History Access Attempt via History File
  T1059.001_potential-powershell-downgrade-attack.txt  [T1059.001]  Potential PowerShell Downgrade Attack
  potential-powershell-execution-policy-tampering.txt  []  Potential PowerShell Execution Policy Tampering
  T1685_potential-privileged-system-service-operation-seloaddriverpr.txt  [T1685]  Potential Privileged System Service Operation - SeLoadDriverPrivilege
  T1216_potential-process-execution-proxy-via-cl-invocation-ps1.txt  [T1216]  Potential Process Execution Proxy Via CL_Invocation.ps1
  T1055.012_potential-process-hollowing-activity.txt  [T1055.012]  Potential Process Hollowing Activity
  T1047_potential-product-class-reconnaissance-via-wmic-exe.txt  [T1047,T1082]  Potential Product Class Reconnaissance Via Wmic.EXE
  T1047_potential-product-reconnaissance-via-wmic-exe.txt  [T1047]  Potential Product Reconnaissance Via Wmic.EXE
  T1218_potential-provlaunch-exe-binary-proxy-execution-abuse.txt  [T1218]  Potential Provlaunch.EXE Binary Proxy Execution Abuse
  T1574.001_potential-python-dll-sideloading.txt  [T1574.001]  Potential Python DLL SideLoading
  T1210_potential-rdp-exploit-cve-2019-0708.txt  [T1210]  Potential RDP Exploit CVE-2019-0708
  potential-rdp-session-hijacking-activity.txt  []  Potential RDP Session Hijacking Activity
  T1070_potential-ransomware-or-unauthorized-mbr-tampering-via-bcded.txt  [T1070,T1542.003]  Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
  T1016_potential-recon-activity-via-nltest-exe.txt  [T1016,T1482]  Potential Recon Activity Via Nltest.EXE
  T1059.005_potential-reconnaissance-activity-via-gathernetworkinfo-vbs.txt  [T1059.005,T1615]  Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
  T1036_potential-reflectdebugger-content-execution-via-werfault-exe.txt  [T1036]  Potential ReflectDebugger Content Execution Via WerFault.EXE
  T1218_potential-register-app-vbs-lolscript-abuse.txt  [T1218]  Potential Register_App.Vbs LOLScript Abuse
  T1574_potential-registry-persistence-attempt-via-dbgmanageddebugge.txt  [T1574]  Potential Registry Persistence Attempt Via DbgManagedDebugger
  T1007_potential-registry-reconnaissance-via-powershell-script.txt  [T1007,T1012]  Potential Registry Reconnaissance Via PowerShell Script
  T1218.010_potential-regsvr32-commandline-flag-anomaly.txt  [T1218.010]  Potential Regsvr32 Commandline Flag Anomaly
  T1609_potential-remote-command-execution-in-pod-container.txt  [T1609]  Potential Remote Command Execution In Pod Container
  T1219.002_potential-remote-desktop-connection-to-non-domain-host.txt  [T1219.002]  Potential Remote Desktop Connection to Non-Domain Host
  T1021_potential-remote-desktop-tunneling.txt  [T1021]  Potential Remote Desktop Tunneling
  T1546.003_potential-remote-wmi-activescripteventconsumers-activity.txt  [T1546.003]  Potential Remote WMI ActiveScriptEventConsumers Activity
  T1574.001_potential-rjvplatform-dll-sideloading-from-default-location.txt  [T1574.001]  Potential RjvPlatform.DLL Sideloading From Default Location
  T1574.001_potential-roboform-dll-sideloading.txt  [T1574.001]  Potential RoboForm.DLL Sideloading
  potential-ruby-reverse-shell.txt  []  Potential Ruby Reverse Shell
  T1059.003_potential-sap-netweaver-webshell-creation.txt  [T1059.003,T1190]  Potential SAP NetWeaver Webshell Creation
  T1059.003_potential-sap-netweaver-webshell-creation-linux.txt  [T1059.003,T1190]  Potential SAP NetWeaver Webshell Creation - Linux
  T1558.003_potential-spn-enumeration-via-setspn-exe.txt  [T1558.003]  Potential SPN Enumeration Via Setspn.EXE
  T1216_potential-script-proxy-execution-via-cl-mutexverifiers-ps1.txt  [T1216]  Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
  T1027.005_potential-secure-deletion-with-sdelete.txt  [T1027.005,T1070.004,T1485,T1553.002]  Potential Secure Deletion with SDelete
  potential-sentinelone-shell-context-menu-scan-command-tamper.txt  []  Potential SentinelOne Shell Context Menu Scan Command Tampering
  potential-shelldispatch-dll-functionality-abuse.txt  []  Potential ShellDispatch.DLL Functionality Abuse
  T1574.001_potential-shelldispatch-dll-sideloading.txt  [T1574.001]  Potential ShellDispatch.DLL Sideloading
  T1055_potential-shellcode-injection.txt  [T1055]  Potential Shellcode Injection
  T1546.011_potential-shim-database-persistence-via-sdbinst-exe.txt  [T1546.011]  Potential Shim Database Persistence via Sdbinst.EXE
  T1609_potential-sidecar-injection-into-running-deployment.txt  [T1609]  Potential Sidecar Injection Into Running Deployment
  T1574.001_potential-solidpdfcreator-dll-sideloading.txt  [T1574.001]  Potential SolidPDFCreator.DLL Sideloading
  T1082_potential-suspicious-activity-using-secedit.txt  [T1082,T1505.005,T1546.007,T1546.008,T1547.001,T1547.002,T1547.010,T1547.014,T1556.002,T1557,T1564.002,T1574.007,T1685,T1685.001]  Potential Suspicious Activity Using SeCEdit
  T1204.002_potential-suspicious-browser-launch-from-document-reader-pro.txt  [T1204.002]  Potential Suspicious Browser Launch From Document Reader Process
  T1565.001_potential-suspicious-change-to-sensitive-critical-files.txt  [T1565.001]  Potential Suspicious Change To Sensitive/Critical Files
  T1059.001_potential-suspicious-powershell-keywords.txt  [T1059.001]  Potential Suspicious PowerShell Keywords
  potential-suspicious-powershell-module-file-created.txt  []  Potential Suspicious PowerShell Module File Created
  T1112_potential-suspicious-registry-file-imported-via-reg-exe.txt  [T1112]  Potential Suspicious Registry File Imported Via Reg.EXE
  potential-suspicious-windows-feature-enabled.txt  []  Potential Suspicious Windows Feature Enabled
  potential-suspicious-windows-feature-enabled-proccreation.txt  []  Potential Suspicious Windows Feature Enabled - ProcCreation
  T1548.002_potential-uac-bypass-via-sdclt-exe.txt  [T1548.002]  Potential UAC Bypass Via Sdclt.EXE
  T1018_potential-unconstrained-delegation-discovery-via-get-adcompu.txt  [T1018,T1558,T1589.002]  Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
  T1047_potential-unquoted-service-path-reconnaissance-via-wmic-exe.txt  [T1047]  Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
  T1574.001_potential-vivaldi-elf-dll-sideloading.txt  [T1574.001]  Potential Vivaldi_elf.DLL Sideloading
  T1047_potential-wmi-lateral-movement-wmiprvse-spawned-powershell.txt  [T1047,T1059.001]  Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
  T1574.001_potential-wwlib-dll-sideloading.txt  [T1574.001]  Potential WWlib.DLL Sideloading
  T1574.001_potential-wazuh-security-platform-dll-sideloading.txt  [T1574.001]  Potential Wazuh Security Platform DLL Sideloading
  T1505.003_potential-webshell-creation-on-static-website.txt  [T1505.003]  Potential Webshell Creation On Static Website
  potential-xcsset-malware-infection.txt  []  Potential XCSSET Malware Infection
  T1059_potential-xterm-reverse-shell.txt  [T1059]  Potential Xterm Reverse Shell
  T1218_potentially-over-permissive-permissions-granted-using-dsacls.txt  [T1218]  Potentially Over Permissive Permissions Granted Using Dsacls.EXE
  T1003.001_potentially-suspicious-accessmask-requested-from-lsass.txt  [T1003.001]  Potentially Suspicious AccessMask Requested From LSASS
  T1090.004_potentially-suspicious-azure-front-door-connection.txt  [T1090.004,T1102.002]  Potentially Suspicious Azure Front Door Connection
  T1218_potentially-suspicious-cmd-shell-output-redirect.txt  [T1218]  Potentially Suspicious CMD Shell Output Redirect
  T1218_potentially-suspicious-cabinet-file-expansion.txt  [T1218]  Potentially Suspicious Cabinet File Expansion
  potentially-suspicious-call-to-win32-nteventlogfile-class-ps.txt  []  Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
  potentially-suspicious-child-process-of-clickonce-applicatio.txt  []  Potentially Suspicious Child Process Of ClickOnce Application
  T1218_potentially-suspicious-child-process-of-diskshadow-exe.txt  [T1218]  Potentially Suspicious Child Process Of DiskShadow.EXE
  T1202_potentially-suspicious-child-process-of-vscode.txt  [T1202,T1218]  Potentially Suspicious Child Process Of VsCode
  T1203_potentially-suspicious-child-process-of-winrar-exe.txt  [T1203]  Potentially Suspicious Child Process Of WinRAR.EXE
  T1203_potentially-suspicious-child-process-of-keyscrambler-exe.txt  [T1203,T1574.001]  Potentially Suspicious Child Process of KeyScrambler.exe
  T1528_potentially-suspicious-command-targeting-teams-sensitive-fil.txt  [T1528]  Potentially Suspicious Command Targeting Teams Sensitive Files
  T1560.001_potentially-suspicious-compression-tool-parameters.txt  [T1560.001]  Potentially Suspicious Compression Tool Parameters
  potentially-suspicious-dmp-hdmp-file-creation.txt  []  Potentially Suspicious DMP/HDMP File Creation
  T1112_potentially-suspicious-desktop-background-change-using-reg-e.txt  [T1112,T1491.001]  Potentially Suspicious Desktop Background Change Using Reg.EXE
  T1112_potentially-suspicious-desktop-background-change-via-registr.txt  [T1112,T1491.001]  Potentially Suspicious Desktop Background Change Via Registry
  potentially-suspicious-electron-application-commandline.txt  []  Potentially Suspicious Electron Application CommandLine
  T1087_potentially-suspicious-eventlog-recon-activity-using-log-que.txt  [T1087,T1552]  Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
  T1036_potentially-suspicious-execution-from-tmp-folder.txt  [T1036]  Potentially Suspicious Execution From Tmp Folder
  potentially-suspicious-execution-of-pdqdeployrunner.txt  []  Potentially Suspicious Execution Of PDQDeployRunner
  T1218.009_potentially-suspicious-execution-of-regasm-regsvcs-from-unco.txt  [T1218.009]  Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
  T1218.009_potentially-suspicious-execution-of-regasm-regsvcs-with-unco.txt  [T1218.009]  Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
  T1105_potentially-suspicious-file-creation-by-openedr-s-itsmservic.txt  [T1105,T1219,T1570]  Potentially Suspicious File Creation by OpenEDR's ITSMService
  T1003.001_potentially-suspicious-grantedaccess-flags-on-lsass.txt  [T1003.001]  Potentially Suspicious GrantedAccess Flags On LSASS
  T1059.007_potentially-suspicious-inline-javascript-execution-via-nodej.txt  [T1059.007]  Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
  T1528_potentially-suspicious-jwt-token-search-via-cli.txt  [T1528,T1552.001]  Potentially Suspicious JWT Token Search Via CLI
  T1059_potentially-suspicious-ntfs-symlink-behavior-modification.txt  [T1059,T1222.001]  Potentially Suspicious NTFS Symlink Behavior Modification
  potentially-suspicious-named-pipe-created-via-mkfifo.txt  []  Potentially Suspicious Named Pipe Created Via Mkfifo
  T1070.004_potentially-suspicious-ping-copy-command-combination.txt  [T1070.004]  Potentially Suspicious Ping/Copy Command Combination
  T1059.001_potentially-suspicious-powershell-child-processes.txt  [T1059.001]  Potentially Suspicious PowerShell Child Processes
  T1059.001_potentially-suspicious-powershell-script-execution-from-temp.txt  [T1059.001]  Potentially Suspicious Powershell Script Execution From Temp Folder
  T1218.010_potentially-suspicious-regsvr32-http-ftp-pattern.txt  [T1218.010]  Potentially Suspicious Regsvr32 HTTP/FTP Pattern
  T1218.011_potentially-suspicious-rundll32-activity.txt  [T1218.011]  Potentially Suspicious Rundll32 Activity
  T1071_potentially-suspicious-rundll32-exe-execution-of-udl-file.txt  [T1071,T1218.011]  Potentially Suspicious Rundll32.EXE Execution of UDL File
  T1218_potentially-suspicious-self-extraction-directive-file-create.txt  [T1218]  Potentially Suspicious Self Extraction Directive File Created
  T1090_potentially-suspicious-usage-of-qemu.txt  [T1090,T1572]  Potentially Suspicious Usage Of Qemu
  potentially-suspicious-wdac-policy-file-creation.txt  []  Potentially Suspicious WDAC Policy File Creation
  T1059.001_potentially-suspicious-webdav-lnk-execution.txt  [T1059.001,T1204]  Potentially Suspicious WebDAV LNK Execution
  potentially-suspicious-windows-app-activity.txt  []  Potentially Suspicious Windows App Activity
  T1070_powershell-console-history-logs-deleted.txt  [T1070]  PowerShell Console History Logs Deleted
  powershell-core-dll-loaded-via-office-application.txt  []  PowerShell Core DLL Loaded Via Office Application
  T1059.001_powershell-create-local-user.txt  [T1059.001,T1136.001]  PowerShell Create Local User
  T1070.005_powershell-deleted-mounted-share.txt  [T1070.005]  PowerShell Deleted Mounted Share
  T1059.001_powershell-downgrade-attack-powershell.txt  [T1059.001]  PowerShell Downgrade Attack - PowerShell
  T1059.001_powershell-download-pattern.txt  [T1059.001]  PowerShell Download Pattern
  T1115_powershell-get-clipboard.txt  [T1115]  PowerShell Get Clipboard
  T1115_powershell-get-clipboard-cmdlet-via-cli.txt  [T1115]  PowerShell Get-Clipboard Cmdlet Via CLI
  powershell-hotfix-enumeration.txt  []  PowerShell Hotfix Enumeration
  T1048.003_powershell-icmp-exfiltration.txt  [T1048.003]  PowerShell ICMP Exfiltration
  T1059.001_powershell-msi-install-via-windowsinstaller-com-from-remote.txt  [T1059.001,T1105,T1218]  PowerShell MSI Install via WindowsInstaller COM From Remote Location
  powershell-module-file-created-by-non-powershell-process.txt  []  PowerShell Module File Created By Non-PowerShell Process
  T1546.013_powershell-profile-modification.txt  [T1546.013]  PowerShell Profile Modification
  T1059.001_powershell-remote-session-creation.txt  [T1059.001]  PowerShell Remote Session Creation
  T1059.001_powershell-script-run-in-appdata.txt  [T1059.001]  PowerShell Script Run in AppData
  T1020_powershell-script-with-file-hostname-resolving-capabilities.txt  [T1020]  PowerShell Script With File Hostname Resolving Capabilities
  T1218.007_powershell-wmi-win32-product-install-msi.txt  [T1218.007]  PowerShell WMI Win32_Product Install MSI
  powershell-write-eventlog-usage.txt  []  PowerShell Write-EventLog Usage
  T1053.005_powershell-create-scheduled-task.txt  [T1053.005]  Powershell Create Scheduled Task
  T1685_powershell-defender-exclusion.txt  [T1685]  Powershell Defender Exclusion
  T1497.001_powershell-detect-virtualization-environment.txt  [T1497.001]  Powershell Detect Virtualization Environment
  T1083_powershell-directory-enumeration.txt  [T1083]  Powershell Directory Enumeration
  T1059.003_powershell-execute-batch-script.txt  [T1059.003]  Powershell Execute Batch Script
  T1059.001_powershell-executed-from-headless-conhost-process.txt  [T1059.001,T1059.003,T1564.003]  Powershell Executed From Headless ConHost Process
  T1059.001_powershell-inline-execution-from-a-file.txt  [T1059.001]  Powershell Inline Execution From A File
  T1056.001_powershell-keylogging.txt  [T1056.001]  Powershell Keylogging
  T1114.001_powershell-local-email-collection.txt  [T1114.001]  Powershell Local Email Collection
  T1098_powershell-localaccount-manipulation.txt  [T1098]  Powershell LocalAccount Manipulation
  T1059.001_powershell-msxml-com-object.txt  [T1059.001]  Powershell MsXml COM Object
  T1083_powershell-sensitive-file-discovery.txt  [T1083]  Powershell Sensitive File Discovery
  T1564.004_powershell-store-file-in-alternate-data-stream.txt  [T1564.004]  Powershell Store File In Alternate Data Stream
  T1070.006_powershell-timestomp.txt  [T1070.006]  Powershell Timestomp
  T1027.009_powershell-token-obfuscation-powershell.txt  [T1027.009]  Powershell Token Obfuscation - Powershell
  T1546.003_powershell-wmi-persistence.txt  [T1546.003]  Powershell WMI Persistence
  T1059.001_powershell-xml-execute-command.txt  [T1059.001]  Powershell XML Execute Command
  T1592.004_print-history-file-contents.txt  [T1592.004]  Print History File Contents
  T1552.004_private-keys-reconnaissance-via-commandline-tools.txt  [T1552.004]  Private Keys Reconnaissance Via CommandLine Tools
  T1078.004_privileged-account-creation.txt  [T1078.004]  Privileged Account Creation
  T1003.001_procdump-execution.txt  [T1003.001,T1036]  Procdump Execution
  T1055_process-creation-using-sysnative-folder.txt  [T1055]  Process Creation Using Sysnative Folder
  process-launched-without-image-name.txt  []  Process Launched Without Image Name
  T1218_process-memory-dump-via-dotnet-dump.txt  [T1218]  Process Memory Dump Via Dotnet-Dump
  T1068_process-monitor-driver-creation-by-non-sysinternals-binary.txt  [T1068]  Process Monitor Driver Creation By Non-Sysinternals Binary
  T1218_process-proxy-execution-via-squirrel-exe.txt  [T1218]  Process Proxy Execution Via Squirrel.EXE
  T1047_process-reconnaissance-via-wmic-exe.txt  [T1047]  Process Reconnaissance Via Wmic.EXE
  T1123_processes-accessing-the-microphone-and-webcam.txt  [T1123]  Processes Accessing the Microphone and Webcam
  T1218_program-executed-using-proxy-local-command-via-ssh-exe.txt  [T1218]  Program Executed Using Proxy/Local Command Via SSH.EXE
  T1584_program-executions-in-suspicious-folders.txt  [T1584,T1587]  Program Executions in Suspicious Folders
  T1202_proxy-execution-via-vshadow.txt  [T1202]  Proxy Execution via Vshadow
  psexec-service-execution.txt  []  PsExec Service Execution
  T1569.002_psexec-service-installation.txt  [T1569.002]  PsExec Service Installation
  T1569.002_psexec-tool-execution-from-suspicious-locations-pipename.txt  [T1569.002]  PsExec Tool Execution From Suspicious Locations - PipeName
  T1021_psexec-execution.txt  [T1021,T1569]  Psexec Execution
  publisher-attachment-file-dropped-in-suspicious-location.txt  []  Publisher Attachment File Dropped In Suspicious Location
  T1216.001_pubprn-vbs-proxy-execution.txt  [T1216.001]  Pubprn.vbs Proxy Execution
  T1046_python-initiated-connection.txt  [T1046]  Python Initiated Connection
  T1059_python-inline-command-execution.txt  [T1059]  Python Inline Command Execution
  T1059.006_python-path-configuration-file-creation-linux.txt  [T1059.006]  Python Path Configuration File Creation - Linux
  T1059.006_python-path-configuration-file-creation-macos.txt  [T1059.006]  Python Path Configuration File Creation - MacOS
  T1059.006_python-path-configuration-file-creation-windows.txt  [T1059.006]  Python Path Configuration File Creation - Windows
  T1190_python-sql-exceptions.txt  [T1190]  Python SQL Exceptions
  T1059_python-spawning-pretty-tty-via-pty-module.txt  [T1059]  Python Spawning Pretty TTY Via PTY Module
  T1048.003_python-webserver-execution-linux.txt  [T1048.003]  Python WebServer Execution - Linux
  query-usage-to-exfil-data.txt  []  Query Usage To Exfil Data
  T1021.001_rdp-enable-or-disable-via-win32-terminalservicesetting-wmi-c.txt  [T1021.001,T1047]  RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
  T1112_rdp-sensitive-settings-changed-to-zero.txt  [T1112]  RDP Sensitive Settings Changed to Zero
  T1190_rds-database-security-group-modification.txt  [T1190]  RDS Database Security Group Modification
  T1218_register-app-vbs-proxy-execution.txt  [T1218]  REGISTER_APP.VBS Proxy Execution
  T1003_rare-subscription-level-operations-in-azure.txt  [T1003]  Rare Subscription-level Operations In Azure
  T1567.002_rclone-activity-via-proxy.txt  [T1567.002]  Rclone Activity via Proxy
  T1567.002_rclone-config-file-creation.txt  [T1567.002]  Rclone Config File Creation
  T1059.003_read-contents-from-stdin-via-cmd-exe.txt  [T1059.003]  Read Contents From Stdin Via Cmd.EXE
  rebuild-performance-counter-values-via-lodctr-exe.txt  []  Rebuild Performance Counter Values Via Lodctr.EXE
  T1057_recon-command-output-piped-to-findstr-exe.txt  [T1057]  Recon Command Output Piped To Findstr.EXE
  T1119_recon-information-for-export-with-command-prompt.txt  [T1119]  Recon Information for Export with Command Prompt
  T1119_recon-information-for-export-with-powershell.txt  [T1119]  Recon Information for Export with PowerShell
  T1218.009_regasm-exe-initiating-network-connection-to-public-ip.txt  [T1218.009]  RegAsm.EXE Initiating Network Connection To Public IP
  register-new-ifiltre-for-persistence.txt  []  Register New IFiltre For Persistence
  T1112_registry-explorer-policy-modification.txt  [T1112]  Registry Explorer Policy Modification
  T1112_registry-hide-function-from-user.txt  [T1112]  Registry Hide Function from User
  T1012_registry-manipulation-via-wmi-stdregprov.txt  [T1012,T1047,T1112]  Registry Manipulation via WMI Stdregprov
  T1059.005_registry-modification-attempt-via-vbscript.txt  [T1059.005,T1112]  Registry Modification Attempt Via VBScript
  T1059.005_registry-modification-attempt-via-vbscript-powershell.txt  [T1059.005,T1112]  Registry Modification Attempt Via VBScript - PowerShell
  T1112_registry-modification-of-ms-settings-protocol-handler.txt  [T1112,T1546.001,T1548.002]  Registry Modification of MS-settings Protocol Handler
  T1137_registry-modification-to-hidden-file-extension.txt  [T1137]  Registry Modification to Hidden File Extension
  T1027.010_registry-set-with-crypto-classes-from-the-cryptography-power.txt  [T1027.010,T1059.001,T1547.001]  Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
  T1574.012_registry-free-process-scope-cor-profiler.txt  [T1574.012]  Registry-Free Process Scope COR_PROFILER
  T1218.010_regsvr32-execution-from-potential-suspicious-location.txt  [T1218.010]  Regsvr32 Execution From Potential Suspicious Location
  T1218_regsvr32-exe-calling-of-dllregisterserver-export-function-im.txt  [T1218]  Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
  T1569.002_remcom-service-file-creation.txt  [T1569.002]  RemCom Service File Creation
  T1569.002_remcom-service-installation.txt  [T1569.002]  RemCom Service Installation
  T1219.002_remote-access-tool-action1-arbitrary-code-execution-and-remo.txt  [T1219.002]  Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
  remote-access-tool-ammy-admin-agent-execution.txt  []  Remote Access Tool - Ammy Admin Agent Execution
  T1219.002_remote-access-tool-anydesk-execution.txt  [T1219.002]  Remote Access Tool - AnyDesk Execution
  remote-access-tool-anydesk-execution-with-known-revoked-sign.txt  []  Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
  T1219.002_remote-access-tool-anydesk-incoming-connection.txt  [T1219.002]  Remote Access Tool - AnyDesk Incoming Connection
  T1219.002_remote-access-tool-anydesk-piped-password-via-cli.txt  [T1219.002]  Remote Access Tool - AnyDesk Piped Password Via CLI
  remote-access-tool-cmd-exe-execution-via-anyviewer.txt  []  Remote Access Tool - Cmd.EXE Execution via AnyViewer
  T1219.002_remote-access-tool-gotoassist-execution.txt  [T1219.002]  Remote Access Tool - GoToAssist Execution
  T1219.002_remote-access-tool-logmein-execution.txt  [T1219.002]  Remote Access Tool - LogMeIn Execution
  T1219.002_remote-access-tool-meshagent-command-execution-via-meshcentr.txt  [T1219.002]  Remote Access Tool - MeshAgent Command Execution via MeshCentral
  T1219.002_remote-access-tool-netsupport-execution.txt  [T1219.002]  Remote Access Tool - NetSupport Execution
  remote-access-tool-netsupport-execution-from-unusual-locatio.txt  []  Remote Access Tool - NetSupport Execution From Unusual Location
  T1219.002_remote-access-tool-potential-meshagent-execution-macos.txt  [T1219.002]  Remote Access Tool - Potential MeshAgent Execution - MacOS
  T1219.002_remote-access-tool-potential-meshagent-execution-windows.txt  [T1219.002]  Remote Access Tool - Potential MeshAgent Execution - Windows
  remote-access-tool-rurat-execution-from-unusual-location.txt  []  Remote Access Tool - RURAT Execution From Unusual Location
  T1219.002_remote-access-tool-screenconnect-execution.txt  [T1219.002]  Remote Access Tool - ScreenConnect Execution
  T1133_remote-access-tool-screenconnect-installation-execution.txt  [T1133]  Remote Access Tool - ScreenConnect Installation Execution
  T1219.002_remote-access-tool-screenconnect-potential-suspicious-remote.txt  [T1219.002]  Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
  remote-access-tool-screenconnect-remote-command-execution-hu.txt  []  Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
  T1219.002_remote-access-tool-simple-help-execution.txt  [T1219.002]  Remote Access Tool - Simple Help Execution
  T1105_remote-access-tool-tacticalrmm-agent-registration-to-potenti.txt  [T1105,T1219]  Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
  T1219.002_remote-access-tool-ultraviewer-execution.txt  [T1219.002]  Remote Access Tool - UltraViewer Execution
  T1543.003_remote-access-tool-services-have-been-installed-security.txt  [T1543.003,T1569.002]  Remote Access Tool Services Have Been Installed - Security
  T1543.003_remote-access-tool-services-have-been-installed-system.txt  [T1543.003,T1569.002]  Remote Access Tool Services Have Been Installed - System
  T1216_remote-code-execute-via-winrm-vbs.txt  [T1216]  Remote Code Execute via Winrm.vbs
  T1204.002_remote-dll-load-via-rundll32-exe.txt  [T1204.002]  Remote DLL Load Via Rundll32.EXE
  T1105_remote-file-download-via-desktopimgdownldr-utility.txt  [T1105]  Remote File Download Via Desktopimgdownldr Utility
  T1105_remote-file-download-via-findstr-exe.txt  [T1105,T1218,T1552.001,T1564.004]  Remote File Download Via Findstr.EXE
  T1021.006_remote-powershell-session-host-process-winrm.txt  [T1021.006,T1059.001]  Remote PowerShell Session Host Process (WinRM)
  T1021.002_remote-service-activity-via-svcctl-named-pipe.txt  [T1021.002]  Remote Service Activity via SVCCTL Named Pipe
  T1053.002_remote-task-creation-via-atsvc-named-pipe.txt  [T1053.002]  Remote Task Creation via ATSVC Named Pipe
  T1053.002_remote-task-creation-via-atsvc-named-pipe-zeek.txt  [T1053.002]  Remote Task Creation via ATSVC Named Pipe - Zeek
  T1055_remote-thread-created-in-shell-application.txt  [T1055]  Remote Thread Created In Shell Application
  T1055.003_remote-thread-creation-in-uncommon-target-image.txt  [T1055.003]  Remote Thread Creation In Uncommon Target Image
  T1059.001_remote-thread-creation-via-powershell.txt  [T1059.001]  Remote Thread Creation Via PowerShell
  T1059.001_remote-thread-creation-via-powershell-in-uncommon-target.txt  [T1059.001,T1218.011]  Remote Thread Creation Via PowerShell In Uncommon Target
  remote-utilities-host-service-install.txt  []  Remote Utilities Host Service Install
  T1685_removal-of-index-value-to-hide-schedule-task-registry.txt  [T1685]  Removal Of Index Value to Hide Schedule Task - Registry
  T1685_removal-of-sd-value-to-hide-schedule-task-registry.txt  [T1685]  Removal Of SD Value to Hide Schedule Task - Registry
  T1112_removal-of-potential-com-hijacking-registry-keys.txt  [T1112]  Removal of Potential COM Hijacking Registry Keys
  T1531_remove-account-from-domain-admin-group.txt  [T1531]  Remove Account From Domain Admin Group
  T1222.002_remove-immutable-file-attribute.txt  [T1222.002]  Remove Immutable File Attribute
  T1222.002_remove-immutable-file-attribute-auditd.txt  [T1222.002]  Remove Immutable File Attribute - Auditd
  remove-scheduled-cron-task-job.txt  []  Remove Scheduled Cron Task/Job
  renamed-autohotkey-exe-execution.txt  []  Renamed AutoHotkey.EXE Execution
  T1553_renamed-boinc-client-execution.txt  [T1553]  Renamed BOINC Client Execution
  T1059_renamed-curl-exe-execution.txt  [T1059,T1202]  Renamed CURL.EXE Execution
  T1059_renamed-ftp-exe-execution.txt  [T1059,T1202]  Renamed FTP.EXE Execution
  renamed-microsoft-teams-execution.txt  []  Renamed Microsoft Teams Execution
  renamed-remote-utilities-rat-rurat-execution.txt  []  Renamed Remote Utilities RAT (RURAT) Execution
  T1105_replace-exe-usage.txt  [T1105]  Replace.exe Usage
  T1218.008_response-file-execution-via-odbcconf-exe.txt  [T1218.008]  Response File Execution Via Odbcconf.EXE
  T1218.011_rhadamanthys-stealer-module-launch-via-rundll32-exe.txt  [T1218.011]  Rhadamanthys Stealer Module Launch Via Rundll32.EXE
  T1078_root-account-enable-via-dsenableroot.txt  [T1078,T1078.001,T1078.003]  Root Account Enable Via Dsenableroot
  T1553.004_root-certificate-installed-powershell.txt  [T1553.004]  Root Certificate Installed - PowerShell
  T1059_ruby-inline-command-execution.txt  [T1059]  Ruby Inline Command Execution
  T1190_ruby-on-rails-framework-exceptions.txt  [T1190]  Ruby on Rails Framework Exceptions
  T1112_run-once-task-configuration-in-registry.txt  [T1112]  Run Once Task Configuration in Registry
  T1218.011_rundll32-installscreensaver-execution.txt  [T1218.011]  Rundll32 InstallScreenSaver Execution
  T1218.011_rundll32-internet-connection.txt  [T1218.011]  Rundll32 Internet Connection
  rundll32-spawned-via-explorer-exe.txt  []  Rundll32 Spawned Via Explorer.EXE
  T1218_rundll32-exe-calling-dllregisterserver-export-function-expli.txt  [T1218]  Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
  T1010_scm-database-handle-failure.txt  [T1010]  SCM Database Handle Failure
  T1548_scm-database-privileged-operation.txt  [T1548]  SCM Database Privileged Operation
  T1218.011_scr-file-write-event.txt  [T1218.011]  SCR File Write Event
  T1070_ses-identity-has-been-deleted.txt  [T1070]  SES Identity Has Been Deleted
  T1021.002_smb-spoolss-name-piped-usage.txt  [T1021.002]  SMB Spoolss Name Piped Usage
  T1570_smb-over-quic-via-net-exe.txt  [T1570]  SMB over QUIC Via Net.EXE
  T1570_smb-over-quic-via-powershell-script.txt  [T1570]  SMB over QUIC Via PowerShell Script
  T1059.001_sql-client-tools-powershell-session-detection.txt  [T1059.001,T1127]  SQL Client Tools PowerShell Session Detection
  T1589_sshd-error-message-cve-2018-15473.txt  [T1589]  SSHD Error Message CVE-2018-15473
  T1053.005_schedule-task-creation-from-env-variable-or-potentially-susp.txt  [T1053.005]  Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
  T1053.003_scheduled-cron-task-job-linux.txt  [T1053.003]  Scheduled Cron Task/Job - Linux
  T1053.003_scheduled-cron-task-job-macos.txt  [T1053.003]  Scheduled Cron Task/Job - MacOs
  T1053.005_scheduled-task-creation-from-potential-suspicious-parent-loc.txt  [T1053.005]  Scheduled Task Creation From Potential Suspicious Parent Location
  T1053.005_scheduled-task-creation-with-curl-and-powershell-execution-c.txt  [T1053.005,T1105,T1218]  Scheduled Task Creation with Curl and PowerShell Execution Combo
  T1053.005_scheduled-task-executed-from-a-suspicious-location.txt  [T1053.005]  Scheduled Task Executed From A Suspicious Location
  T1053.005_scheduled-task-executed-uncommon-lolbin.txt  [T1053.005]  Scheduled Task Executed Uncommon LOLBIN
  T1053.005_scheduled-task-executing-payload-from-registry.txt  [T1053.005,T1059.001]  Scheduled Task Executing Payload from Registry
  T1113_screen-capture-activity-via-psr-exe.txt  [T1113]  Screen Capture Activity Via Psr.EXE
  T1219.002_screenconnect-temporary-installation-artefact.txt  [T1219.002]  ScreenConnect Temporary Installation Artefact
  screenconnect-user-database-modification.txt  []  ScreenConnect User Database Modification
  screenconnect-user-database-modification-security.txt  []  ScreenConnect User Database Modification - Security
  T1218.011_screensaver-registry-key-set.txt  [T1218.011]  ScreenSaver Registry Key Set
  T1685_scripted-diagnostics-turn-off-check-enabled-registry.txt  [T1685]  Scripted Diagnostics Turn Off Check Enabled - Registry
  T1218.010_scripting-commandline-process-spawned-regsvr32.txt  [T1218.010]  Scripting/CommandLine Process Spawned Regsvr32
  T1548.002_sdclt-child-processes.txt  [T1548.002]  Sdclt Child Processes
  T1518.001_security-software-discovery-macos.txt  [T1518.001]  Security Software Discovery - MacOs
  T1518.001_security-software-discovery-via-powershell-script.txt  [T1518.001]  Security Software Discovery Via Powershell Script
  T1518.001_security-tools-keyword-lookup-via-findstr-exe.txt  [T1518.001]  Security Tools Keyword Lookup Via Findstr.EXE
  T1218_self-extraction-directive-file-created-in-potentially-suspic.txt  [T1218]  Self Extraction Directive File Created In Potentially Suspicious Location
  T1112_service-binary-in-user-controlled-folder.txt  [T1112]  Service Binary in User Controlled Folder
  T1543.003_service-installation-in-suspicious-folder.txt  [T1543.003]  Service Installation in Suspicious Folder
  T1047_service-reconnaissance-via-wmic-exe.txt  [T1047]  Service Reconnaissance Via Wmic.EXE
  T1574.011_service-registry-permissions-weakness-check.txt  [T1574.011]  Service Registry Permissions Weakness Check
  T1574.011_service-security-descriptor-tampering-via-sc-exe.txt  [T1574.011]  Service Security Descriptor Tampering Via Sc.EXE
  T1047_service-started-stopped-via-wmic-exe.txt  [T1047]  Service Started/Stopped Via Wmic.EXE
  T1047_service-startup-type-change-via-wmic-exe.txt  [T1047,T1685]  Service Startup Type Change Via Wmic.EXE
  T1685_service-startuptype-change-via-powershell-set-service.txt  [T1685]  Service StartupType Change Via PowerShell Set-Service
  T1685_service-startuptype-change-via-sc-exe.txt  [T1685]  Service StartupType Change Via Sc.EXE
  T1543.003_servicedll-hijack.txt  [T1543.003]  ServiceDll Hijack
  T1546.009_session-manager-autorun-keys-modification.txt  [T1546.009,T1547.001]  Session Manager Autorun Keys Modification
  T1574.005_setup16-exe-execution-with-custom-lst-file.txt  [T1574.005]  Setup16.EXE Execution With Custom .Lst File
  T1003_shadow-copies-creation-using-operating-systems-utilities.txt  [T1003,T1003.002,T1003.003]  Shadow Copies Creation Using Operating Systems Utilities
  T1190_sharepoint-toolshell-cve-2025-53770-exploitation-web-iis.txt  [T1190]  SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
  T1083_shell-invocation-via-apt-linux.txt  [T1083]  Shell Invocation via Apt - Linux
  shell-process-spawned-by-java-exe.txt  []  Shell Process Spawned by Java.EXE
  T1083_source-code-enumeration-detection-by-keyword.txt  [T1083]  Source Code Enumeration Detection by Keyword
  T1190_spring-framework-exceptions.txt  [T1190]  Spring Framework Exceptions
  standard-user-in-high-privileged-group.txt  []  Standard User In High Privileged Group
  start-of-nt-virtual-dos-machine.txt  []  Start of NT Virtual DOS Machine
  T1547.001_startup-folder-file-write.txt  [T1547.001]  Startup Folder File Write
  T1484.001_startup-logon-script-added-to-group-policy-object.txt  [T1484.001,T1547]  Startup/Logon Script Added to Group Policy Object
  T1078.004_successful-authentications-from-countries-you-do-not-operate.txt  [T1078.004,T1110]  Successful Authentications From Countries You Do Not Operate Out Of
  T1190_successful-iis-shortname-fuzzing-scan.txt  [T1190]  Successful IIS Shortname Fuzzing Scan
  T1039_suspicious-access-to-sensitive-file-extensions.txt  [T1039]  Suspicious Access to Sensitive File Extensions
  suspicious-access-to-sensitive-file-extensions-zeek.txt  []  Suspicious Access to Sensitive File Extensions - Zeek
  T1486_suspicious-appended-extension.txt  [T1486]  Suspicious Appended Extension
  suspicious-application-installed.txt  []  Suspicious Application Installed
  T1071.001_suspicious-base64-encoded-user-agent.txt  [T1071.001]  Suspicious Base64 Encoded User-Agent
  suspicious-c2-activities.txt  []  Suspicious C2 Activities
  T1202_suspicious-cabinet-file-execution-via-msdt-exe.txt  [T1202]  Suspicious Cabinet File Execution Via Msdt.EXE
  T1059.003_suspicious-child-process-of-sap-netweaver.txt  [T1059.003,T1190]  Suspicious Child Process of SAP NetWeaver
  T1059.003_suspicious-child-process-of-sap-netweaver-linux.txt  [T1059.003,T1190]  Suspicious Child Process of SAP NetWeaver - Linux
  T1036_suspicious-codepage-switch-via-chcp.txt  [T1036]  Suspicious CodePage Switch Via CHCP
  T1059.004_suspicious-commands-linux.txt  [T1059.004]  Suspicious Commands Linux
  T1078_suspicious-computer-machine-password-by-powershell.txt  [T1078]  Suspicious Computer Machine Password by PowerShell
  T1036.003_suspicious-copy-from-or-to-system-directory.txt  [T1036.003]  Suspicious Copy From or To System Directory
  T1486_suspicious-creation-txt-file-in-user-desktop.txt  [T1486]  Suspicious Creation TXT File in User Desktop
  T1187_suspicious-creation-of-library-ms-file-potential-cve-2025-24.txt  [T1187]  Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
  T1059.001_suspicious-crushftp-child-process.txt  [T1059.001,T1059.003,T1190]  Suspicious CrushFTP Child Process
  T1072_suspicious-csi-exe-usage.txt  [T1072,T1218]  Suspicious Csi.exe Usage
  T1071.001_suspicious-curl-change-user-agents-linux.txt  [T1071.001]  Suspicious Curl Change User Agents - Linux
  T1105_suspicious-curl-file-upload-linux.txt  [T1105,T1567]  Suspicious Curl File Upload - Linux
  T1590_suspicious-dns-query-for-ip-lookup-service-apis.txt  [T1590]  Suspicious DNS Query for IP Lookup Service APIs
  T1048.003_suspicious-dns-query-with-b64-encoded-string.txt  [T1048.003,T1071.004]  Suspicious DNS Query with B64 Encoded String
  T1095_suspicious-dns-z-flag-bit-set.txt  [T1095,T1571]  Suspicious DNS Z Flag Bit Set
  T1564.004_suspicious-diantz-alternate-data-stream-execution.txt  [T1564.004]  Suspicious Diantz Alternate Data Stream Execution
  T1105_suspicious-diantz-download-and-compress-into-a-cab-file.txt  [T1105]  Suspicious Diantz Download and Compress Into a CAB File
  suspicious-digital-signature-of-appx-package.txt  []  Suspicious Digital Signature Of AppX Package
  T1027_suspicious-download-via-certutil-exe.txt  [T1027,T1105]  Suspicious Download Via Certutil.EXE
  T1547_suspicious-driver-install-by-pnputil-exe.txt  [T1547]  Suspicious Driver Install by pnputil.exe
  suspicious-electron-application-child-processes.txt  []  Suspicious Electron Application Child Processes
  T1566.001_suspicious-email-delivered-in-microsoft-365.txt  [T1566.001,T1566.002]  Suspicious Email Delivered In Microsoft 365
  T1685.005_suspicious-eventlog-clear.txt  [T1685.005]  Suspicious Eventlog Clear
  suspicious-execution-of-installutil-without-log.txt  []  Suspicious Execution of InstallUtil Without Log
  T1059.001_suspicious-execution-of-powershell-with-base64.txt  [T1059.001]  Suspicious Execution of Powershell with Base64
  T1529_suspicious-execution-of-shutdown.txt  [T1529]  Suspicious Execution of Shutdown
  T1529_suspicious-execution-of-shutdown-to-log-out.txt  [T1529]  Suspicious Execution of Shutdown to Log Out
  T1059_suspicious-execution-via-macos-script-editor.txt  [T1059,T1059.002,T1204,T1204.001,T1553,T1566,T1566.002]  Suspicious Execution via macOS Script Editor
  T1564.004_suspicious-extrac32-alternate-data-stream-execution.txt  [T1564.004]  Suspicious Extrac32 Alternate Data Stream Execution
  T1105_suspicious-extrac32-execution.txt  [T1105]  Suspicious Extrac32 Execution
  T1059.006_suspicious-file-characteristics-due-to-missing-fields.txt  [T1059.006]  Suspicious File Characteristics Due to Missing Fields
  T1059_suspicious-file-created-in-perflogs.txt  [T1059]  Suspicious File Created In PerfLogs
  T1190_suspicious-file-drop-by-exchange.txt  [T1190,T1505.003]  Suspicious File Drop by Exchange
  T1190_suspicious-file-write-to-webapps-root-directory.txt  [T1190,T1505.003]  Suspicious File Write to Webapps Root Directory
  T1036.005_suspicious-files-in-default-gpo-folder.txt  [T1036.005]  Suspicious Files in Default GPO Folder
  T1132.001_suspicious-frombase64string-usage-on-gzip-archive-process-cr.txt  [T1132.001]  Suspicious FromBase64String Usage On Gzip Archive - Process Creation
  T1132.001_suspicious-frombase64string-usage-on-gzip-archive-ps-script.txt  [T1132.001]  Suspicious FromBase64String Usage On Gzip Archive - Ps Script
  T1003.006_suspicious-get-adreplaccount.txt  [T1003.006]  Suspicious Get-ADReplAccount
  T1546.015_suspicious-gettypefromclsid-shellexecute.txt  [T1546.015]  Suspicious GetTypeFromCLSID ShellExecute
  T1593.003_suspicious-git-clone.txt  [T1593.003]  Suspicious Git Clone
  T1593.003_suspicious-git-clone-linux.txt  [T1593.003]  Suspicious Git Clone - Linux
  T1087.001_suspicious-group-and-account-reconnaissance-activity-using-n.txt  [T1087.001,T1087.002]  Suspicious Group And Account Reconnaissance Activity Using Net.EXE
  T1552.003_suspicious-history-file-operations.txt  [T1552.003]  Suspicious History File Operations
  T1552.003_suspicious-history-file-operations-linux.txt  [T1552.003]  Suspicious History File Operations - Linux
  T1564.006_suspicious-hyper-v-cmdlets.txt  [T1564.006]  Suspicious Hyper-V Cmdlets
  suspicious-iis-url-globalrules-rewrite-via-appcmd.txt  []  Suspicious IIS URL GlobalRules Rewrite Via AppCmd
  T1070.003_suspicious-io-filestream.txt  [T1070.003]  Suspicious IO.FileStream
  T1059_suspicious-installer-package-child-process.txt  [T1059,T1059.007,T1071,T1071.001]  Suspicious Installer Package Child Process
  T1553.005_suspicious-invoke-item-from-mount-diskimage.txt  [T1553.005]  Suspicious Invoke-Item From Mount-DiskImage
  T1105_suspicious-invoke-webrequest-execution-with-directip.txt  [T1105]  Suspicious Invoke-WebRequest Execution With DirectIP
  T1558.003_suspicious-kerberos-rc4-ticket-encryption.txt  [T1558.003]  Suspicious Kerberos RC4 Ticket Encryption
  T1588.002_suspicious-keyboard-layout-load.txt  [T1588.002]  Suspicious Keyboard Layout Load
  T1036.007_suspicious-lnk-double-extension-file-created.txt  [T1036.007]  Suspicious LNK Double Extension File Created
  suspicious-log-entries.txt  []  Suspicious Log Entries
  T1078.004_suspicious-login-activity-classified-by-google.txt  [T1078.004]  Suspicious Login Activity Classified By Google
  suspicious-macos-firmware-activity.txt  []  Suspicious MacOS Firmware Activity
  suspicious-msbuild-execution-by-uncommon-parent-process.txt  []  Suspicious Msbuild Execution By Uncommon Parent Process
  T1218.007_suspicious-msiexec-embedding-parent.txt  [T1218.007]  Suspicious MsiExec Embedding Parent
  T1218.007_suspicious-msiexec-execute-arbitrary-dll.txt  [T1218.007]  Suspicious Msiexec Execute Arbitrary DLL
  T1218.007_suspicious-msiexec-quiet-install-from-remote-location.txt  [T1218.007]  Suspicious Msiexec Quiet Install From Remote Location
  T1016_suspicious-network-connection-to-ip-lookup-service-apis.txt  [T1016]  Suspicious Network Connection to IP Lookup Service APIs
  suspicious-new-instance-of-an-office-com-object.txt  []  Suspicious New Instance Of An Office COM Object
  T1021.002_suspicious-new-psdrive-to-admin-share.txt  [T1021.002]  Suspicious New-PSDrive to Admin Share
  T1021.003_suspicious-non-powershell-wsman-com-provider.txt  [T1021.003,T1059.001]  Suspicious Non PowerShell WSMAN COM Provider
  T1102_suspicious-non-browser-network-communication-with-telegram-a.txt  [T1102,T1105,T1567]  Suspicious Non-Browser Network Communication With Telegram API
  suspicious-oauth-app-file-download-activities.txt  []  Suspicious OAuth App File Download Activities
  T1190_suspicious-openssh-daemon-error.txt  [T1190]  Suspicious OpenSSH Daemon Error
  T1048.003_suspicious-outbound-smtp-connections.txt  [T1048.003]  Suspicious Outbound SMTP Connections
  T1685_suspicious-procexp152-sys-file-created-in-tmp.txt  [T1685]  Suspicious PROCEXP152.sys File Created In TMP
  T1553.004_suspicious-package-installed-linux.txt  [T1553.004]  Suspicious Package Installed - Linux
  T1059.001_suspicious-powershell-download-poshmodule.txt  [T1059.001]  Suspicious PowerShell Download - PoshModule
  T1059.001_suspicious-powershell-download-powershell-script.txt  [T1059.001]  Suspicious PowerShell Download - Powershell Script
  T1547.001_suspicious-powershell-in-registry-run-keys.txt  [T1547.001]  Suspicious PowerShell In Registry Run Keys
  T1059.001_suspicious-powershell-invocation-from-script-engines.txt  [T1059.001]  Suspicious PowerShell Invocation From Script Engines
  suspicious-powershell-invocations-specific-processcreation.txt  []  Suspicious PowerShell Invocations - Specific - ProcessCreation
  T1564.003_suspicious-powershell-windowstyle-option.txt  [T1564.003]  Suspicious PowerShell WindowStyle Option
  suspicious-powercfg-execution-to-change-lock-screen-timeout.txt  []  Suspicious Powercfg Execution To Change Lock Screen Timeout
  T1036_suspicious-process-start-locations.txt  [T1036]  Suspicious Process Start Locations
  T1059_suspicious-rasdial-activity.txt  [T1059]  Suspicious RASdial Activity
  T1087.001_suspicious-reconnaissance-activity-using-get-localgroupmembe.txt  [T1087.001]  Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
  T1222.001_suspicious-recursive-takeown.txt  [T1222.001]  Suspicious Recursive Takeown
  T1110.001_suspicious-rejected-smb-guest-logon-from-ip.txt  [T1110.001]  Suspicious Rejected SMB Guest Logon From IP
  T1078_suspicious-remote-logon-with-explicit-credentials.txt  [T1078]  Suspicious Remote Logon with Explicit Credentials
  suspicious-runas-like-flag-combination.txt  []  Suspicious RunAs-Like Flag Combination
  T1218.011_suspicious-rundll32-setupapi-dll-activity.txt  [T1218.011]  Suspicious Rundll32 Setupapi.dll Activity
  T1059_suspicious-runscripthelper-exe.txt  [T1059,T1202]  Suspicious Runscripthelper.exe
  T1190_suspicious-sql-query.txt  [T1190,T1505.001]  Suspicious SQL Query
  T1552.006_suspicious-sysvol-domain-group-policy-access.txt  [T1552.006]  Suspicious SYSVOL Domain Group Policy Access
  T1018_suspicious-scan-loop-network.txt  [T1018,T1059]  Suspicious Scan Loop Network
  T1036.005_suspicious-scheduled-task-creation-via-masqueraded-xml-file.txt  [T1036.005,T1053.005]  Suspicious Scheduled Task Creation via Masqueraded XML File
  T1053.005_suspicious-scheduled-task-name-as-guid.txt  [T1053.005]  Suspicious Scheduled Task Name As GUID
  T1053.005_suspicious-schtasks-schedule-type-with-high-privileges.txt  [T1053.005]  Suspicious Schtasks Schedule Type With High Privileges
  T1546.002_suspicious-screensave-change-by-reg-exe.txt  [T1546.002]  Suspicious ScreenSave Change by Reg.exe
  T1546.002_suspicious-screensaver-binary-file-creation.txt  [T1546.002]  Suspicious Screensaver Binary File Creation
  T1685_suspicious-service-installed.txt  [T1685]  Suspicious Service Installed
  T1221_suspicious-set-value-of-msdt-in-registry-cve-2022-30190.txt  [T1221]  Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
  T1546.001_suspicious-shell-open-command-registry-modification.txt  [T1546.001,T1548.002]  Suspicious Shell Open Command Registry Modification
  T1036.003_suspicious-start-process-passthru.txt  [T1036.003]  Suspicious Start-Process PassThru
  T1210_suspicious-sysaidserver-child.txt  [T1210]  Suspicious SysAidServer Child
  T1090_suspicious-tcp-tunnel-via-powershell-script.txt  [T1090]  Suspicious TCP Tunnel Via PowerShell Script
  T1553.005_suspicious-unblock-file.txt  [T1553.005]  Suspicious Unblock-File
  T1003.003_suspicious-usage-of-active-directory-diagnostic-tool-ntdsuti.txt  [T1003.003]  Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
  T1027.010_suspicious-usage-of-for-loop-with-recursive-directory-search.txt  [T1027.010,T1059.003]  Suspicious Usage of For Loop with Recursive Directory Search in CMD
  suspicious-use-of-dev-tcp.txt  []  Suspicious Use of /dev/tcp
  T1087_suspicious-use-of-psloglist.txt  [T1087,T1087.001,T1087.002]  Suspicious Use of PsLogList
  T1190_suspicious-user-agents-related-to-recon-tools.txt  [T1190]  Suspicious User-Agents Related To Recon Tools
  T1112_suspicious-vboxdrvinst-exe-parameters.txt  [T1112]  Suspicious VBoxDrvInst.exe Parameters
  T1190_suspicious-vsftpd-error-messages.txt  [T1190]  Suspicious VSFTPD Error Messages
  T1218_suspicious-vsls-agent-command-with-agentextensionpath-load.txt  [T1218]  Suspicious Vsls-Agent Command With AgentExtensionPath Load
  T1685_suspicious-windows-defender-folder-exclusion-added-via-reg-e.txt  [T1685]  Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
  suspicious-windowsterminal-child-processes.txt  []  Suspicious WindowsTerminal Child Processes
  suspicious-wordpad-outbound-connections.txt  []  Suspicious Wordpad Outbound Connections
  suspicious-workstation-locking-via-rundll32.txt  []  Suspicious Workstation Locking via Rundll32
  T1553.004_suspicious-x509enrollment-process-creation.txt  [T1553.004]  Suspicious X509Enrollment - Process Creation
  T1553.004_suspicious-x509enrollment-ps-script.txt  [T1553.004]  Suspicious X509Enrollment - Ps Script
  T1027_suspicious-xor-encoded-powershell-command.txt  [T1027,T1059.001,T1140]  Suspicious XOR Encoded PowerShell Command
  T1202_suspicious-zipexec-execution.txt  [T1202,T1218]  Suspicious ZipExec Execution
  T1218_syncappvpublishingserver-bypass-powershell-restriction-ps-mo.txt  [T1218]  SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
  T1218_syncappvpublishingserver-execute-arbitrary-powershell-code.txt  [T1218]  SyncAppvPublishingServer Execute Arbitrary PowerShell Code
  T1218_syncappvpublishingserver-execution-to-bypass-powershell-rest.txt  [T1218]  SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  T1216_syncappvpublishingserver-vbs-execute-arbitrary-powershell-co.txt  [T1216,T1218]  SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
  T1543.003_sysinternals-psservice-execution.txt  [T1543.003]  Sysinternals PsService Execution
  T1543.003_sysinternals-pssuspend-execution.txt  [T1543.003]  Sysinternals PsSuspend Execution
  sysmon-configuration-change.txt  []  Sysmon Configuration Change
  T1685_sysmon-configuration-update.txt  [T1685]  Sysmon Configuration Update
  sysmon-file-executable-creation-detected.txt  []  Sysmon File Executable Creation Detected
  T1059_sysprep-on-appdata-folder.txt  [T1059]  Sysprep on AppData Folder
  T1047_system-disk-and-volume-reconnaissance-via-wmic-exe.txt  [T1047,T1082]  System Disk And Volume Reconnaissance Via Wmic.EXE
  T1082_system-information-discovery-using-ioreg.txt  [T1082]  System Information Discovery Using Ioreg
  T1082_system-information-discovery-using-system-profiler.txt  [T1082,T1497.001]  System Information Discovery Using System_Profiler
  T1082_system-information-discovery-using-sw-vers.txt  [T1082]  System Information Discovery Using sw_vers
  T1082_system-information-discovery-via-sysctl-macos.txt  [T1082,T1497.001]  System Information Discovery Via Sysctl - MacOS
  T1518.001_system-integrity-protection-sip-disabled.txt  [T1518.001]  System Integrity Protection (SIP) Disabled
  T1614.001_system-language-discovery-via-reg-exe.txt  [T1614.001]  System Language Discovery via Reg.Exe
  T1547.001_system-scripts-autorun-keys-modification.txt  [T1547.001]  System Scripts Autorun Keys Modification
  T1543.002_systemd-service-creation.txt  [T1543.002]  Systemd Service Creation
  T1219.002_tacticalrmm-service-installation.txt  [T1219.002]  TacticalRMM Service Installation
  T1048_tap-driver-installation.txt  [T1048]  Tap Driver Installation
  T1048_tap-installer-execution.txt  [T1048]  Tap Installer Execution
  T1219.002_teamviewer-domain-query-by-non-teamviewer-application.txt  [T1219.002]  TeamViewer Domain Query By Non-TeamViewer Application
  T1219.002_teamviewer-remote-session.txt  [T1219.002]  TeamViewer Remote Session
  T1071.001_telegram-api-access.txt  [T1071.001,T1102.002]  Telegram API Access
  T1102.002_telegram-bot-api-request.txt  [T1102.002]  Telegram Bot API Request
  T1685_terminate-linux-process-via-kill.txt  [T1685]  Terminate Linux Process Via Kill
  T1571_testing-usage-of-uncommonly-used-port.txt  [T1571]  Testing Usage of Uncommonly Used Port
  T1574.001_third-party-software-dll-sideloading.txt  [T1574.001]  Third Party Software DLL Sideloading
  T1490_time-machine-backup-deletion-attempt-via-tmutil-macos.txt  [T1490]  Time Machine Backup Deletion Attempt Via Tmutil - MacOS
  T1490_time-machine-backup-disabled-via-tmutil-macos.txt  [T1490]  Time Machine Backup Disabled Via Tmutil - MacOS
  T1070_tomcat-webserver-logs-deleted.txt  [T1070]  Tomcat WebServer Logs Deleted
  T1070.006_touch-suspicious-service-file.txt  [T1070.006]  Touch Suspicious Service File
  T1003.001_transferring-files-with-credential-data-via-network-shares.txt  [T1003.001,T1003.002,T1003.003]  Transferring Files with Credential Data via Network Shares
  T1003.001_transferring-files-with-credential-data-via-network-shares-z.txt  [T1003.001,T1003.002,T1003.003]  Transferring Files with Credential Data via Network Shares - Zeek
  T1202_troubleshooting-pack-cmdlet-execution.txt  [T1202]  Troubleshooting Pack Cmdlet Execution
  T1041_tunneling-tool-execution.txt  [T1041,T1071.001,T1572]  Tunneling Tool Execution
  T1548_uac-bypass-via-windows-firewall-snap-in-hijack.txt  [T1548]  UAC Bypass via Windows Firewall Snap-In Hijack
  T1548.002_uac-disabled.txt  [T1548.002]  UAC Disabled
  T1548.002_uac-notification-disabled.txt  [T1548.002]  UAC Notification Disabled
  T1548.002_uac-secure-desktop-prompt-disabled.txt  [T1548.002]  UAC Secure Desktop Prompt Disabled
  T1686_ufw-disable-attempt.txt  [T1686]  UFW Disable Attempt
  T1218_uncommon-assistive-technology-applications-execution-via-atb.txt  [T1218]  Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE
  T1218_uncommon-addinutil-exe-commandline-execution.txt  [T1218]  Uncommon AddinUtil.EXE CommandLine Execution
  T1218_uncommon-child-process-of-addinutil-exe.txt  [T1218]  Uncommon Child Process Of AddinUtil.EXE
  T1218_uncommon-child-process-of-appvlp-exe.txt  [T1218]  Uncommon Child Process Of Appvlp.EXE
  T1059.005_uncommon-child-process-of-bginfo-exe.txt  [T1059.005,T1202,T1218]  Uncommon Child Process Of BgInfo.EXE
  T1218_uncommon-child-process-of-defaultpack-exe.txt  [T1218]  Uncommon Child Process Of Defaultpack.EXE
  T1218.008_uncommon-child-process-spawned-by-odbcconf-exe.txt  [T1218.008]  Uncommon Child Process Spawned By Odbcconf.EXE
  uncommon-child-processes-of-sndvol-exe.txt  []  Uncommon Child Processes Of SndVol.exe
  T1087_uncommon-connection-to-active-directory-web-services.txt  [T1087]  Uncommon Connection to Active Directory Web Services
  T1003.001_uncommon-grantedaccess-flags-on-lsass.txt  [T1003.001]  Uncommon GrantedAccess Flags On LSASS
  T1218_uncommon-link-exe-parent-process.txt  [T1218]  Uncommon Link.EXE Parent Process
  T1550.003_uncommon-outbound-kerberos-connection.txt  [T1550.003,T1558]  Uncommon Outbound Kerberos Connection
  T1558.003_uncommon-outbound-kerberos-connection-security.txt  [T1558.003]  Uncommon Outbound Kerberos Connection - Security
  T1059.001_uncommon-powershell-hosts.txt  [T1059.001]  Uncommon PowerShell Hosts
  T1543.003_uncommon-service-installation-image-path.txt  [T1543.003]  Uncommon Service Installation Image Path
  T1216_uncommon-sigverif-exe-child-process.txt  [T1216]  Uncommon Sigverif.EXE Child Process
  T1082_uncommon-system-information-discovery-via-wmic-exe.txt  [T1082]  Uncommon System Information Discovery Via Wmic.EXE
  T1546.004_unix-shell-configuration-modification.txt  [T1546.004]  Unix Shell Configuration Modification
  T1036.005_unsigned-node-file-loaded.txt  [T1036.005,T1129,T1574.001]  Unsigned .node File Loaded
  unsigned-appx-installation-attempt-using-add-appxpackage.txt  []  Unsigned AppX Installation Attempt Using Add-AppxPackage
  unsigned-appx-installation-attempt-using-add-appxpackage-pss.txt  []  Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
  T1003.001_unsigned-image-loaded-into-lsass-process.txt  [T1003.001]  Unsigned Image Loaded Into LSASS Process
  T1574.001_unsigned-module-loaded-by-clickonce-application.txt  [T1574.001]  Unsigned Module Loaded by ClickOnce Application
  T1021.002_unsigned-or-unencrypted-smb-connection-to-share-established.txt  [T1021.002]  Unsigned or Unencrypted SMB Connection to Share Established
  T1564.004_unusual-file-download-from-file-sharing-websites-file-stream.txt  [T1564.004]  Unusual File Download From File Sharing Websites - File Stream
  T1059_unusual-parent-process-for-cmd-exe.txt  [T1059]  Unusual Parent Process For Cmd.EXE
  T1059.001_usage-of-web-request-commands-and-cmdlets.txt  [T1059.001]  Usage Of Web Request Commands And Cmdlets
  T1059.001_usage-of-web-request-commands-and-cmdlets-scriptblock.txt  [T1059.001]  Usage Of Web Request Commands And Cmdlets - ScriptBlock
  T1564.001_use-icacls-to-hide-file-to-everyone.txt  [T1564.001]  Use Icacls to Hide File to Everyone
  T1564.004_use-ntfs-short-name-in-command-line.txt  [T1564.004]  Use NTFS Short Name in Command Line
  T1564.004_use-ntfs-short-name-in-image.txt  [T1564.004]  Use NTFS Short Name in Image
  T1218_use-of-the-sftp-exe-binary-as-a-lolbin.txt  [T1218]  Use Of The SFTP.EXE Binary As A LOLBIN
  T1564.004_use-short-name-path-in-command-line.txt  [T1564.004]  Use Short Name Path in Command Line
  T1564.004_use-short-name-path-in-image.txt  [T1564.004]  Use Short Name Path in Image
  T1059_use-of-fsharp-interpreters.txt  [T1059]  Use of FSharp Interpreters
  T1059_use-of-openconsole.txt  [T1059]  Use of OpenConsole
  T1059_use-of-pcalua-for-execution.txt  [T1059]  Use of Pcalua For Execution
  T1127_use-of-remote-exe.txt  [T1127]  Use of Remote.exe
  T1218_use-of-scriptrunner-exe.txt  [T1218]  Use of Scriptrunner.exe
  T1127_use-of-ttdinject-exe.txt  [T1127]  Use of TTDInject.exe
  T1219.002_use-of-ultravnc-remote-access-software.txt  [T1219.002]  Use of UltraVNC Remote Access Software
  T1127_use-of-vsiisexelauncher-exe.txt  [T1127]  Use of VSIISExeLauncher.exe
  T1218_use-of-visualuiaverifynative-exe.txt  [T1218]  Use of VisualUiaVerifyNative.exe
  T1127_use-of-wfc-exe.txt  [T1127]  Use of Wfc.exe
  T1078.004_user-access-blocked-by-azure-conditional-access.txt  [T1078.004,T1110]  User Access Blocked by Azure Conditional Access
  T1078.003_user-added-to-admin-group-via-dscl.txt  [T1078.003]  User Added To Admin Group Via Dscl
  T1078.003_user-added-to-admin-group-via-dseditgroup.txt  [T1078.003]  User Added To Admin Group Via DseditGroup
  T1078.003_user-added-to-admin-group-via-sysadminctl.txt  [T1078.003]  User Added To Admin Group Via Sysadminctl
  T1548_user-added-to-group-with-ca-policy-modification-access.txt  [T1548,T1556]  User Added To Group With CA Policy Modification Access
  user-added-to-root-sudoers-group-using-usermod.txt  []  User Added To Root/Sudoers Group Using Usermod
  T1078_user-added-to-local-administrator-group.txt  [T1078,T1098]  User Added to Local Administrator Group
  T1098_user-added-to-local-administrators-group.txt  [T1098]  User Added to Local Administrators Group
  T1078_user-added-to-an-administrator-s-azure-ad-role.txt  [T1078,T1098.003]  User Added to an Administrator's Azure AD Role
  T1033_user-discovery-and-export-via-get-aduser-cmdlet.txt  [T1033]  User Discovery And Export Via Get-ADUser Cmdlet
  T1033_user-discovery-and-export-via-get-aduser-cmdlet-powershell.txt  [T1033]  User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
  T1531_user-has-been-deleted-via-userdel.txt  [T1531]  User Has Been Deleted Via Userdel
  T1548_user-removed-from-group-with-ca-policy-modification-access.txt  [T1548,T1556]  User Removed From Group With CA Policy Modification Access
  T1078.004_user-state-changed-from-guest-to-member.txt  [T1078.004]  User State Changed From Guest To Member
  T1078.004_users-authenticating-to-other-azure-ad-tenants.txt  [T1078.004]  Users Authenticating To Other Azure AD Tenants
  T1216_utilityfunctions-ps1-proxy-dll.txt  [T1216]  UtilityFunctions.ps1 Proxy Dll
  T1587.001_vhd-image-download-via-browser.txt  [T1587.001]  VHD Image Download Via Browser
  T1574.001_vmguestlib-dll-sideload.txt  [T1574.001]  VMGuestLib DLL Sideload
  T1574.001_vmmap-signed-dbghelp-dll-potential-sideloading.txt  [T1574.001]  VMMap Signed Dbghelp.DLL Potential Sideloading
  T1005_veeam-backup-database-suspicious-query.txt  [T1005]  Veeam Backup Database Suspicious Query
  T1218_verclsid-exe-runs-com-object.txt  [T1218]  Verclsid.exe Runs COM Object
  visual-studio-code-tunnel-remote-file-creation.txt  []  Visual Studio Code Tunnel Remote File Creation
  T1071.001_visual-studio-code-tunnel-service-installation.txt  [T1071.001]  Visual Studio Code Tunnel Service Installation
  T1071.001_visual-studio-code-tunnel-shell-execution.txt  [T1071.001]  Visual Studio Code Tunnel Shell Execution
  T1218_visual-studio-nodejstools-pressanykey-arbitrary-binary-execu.txt  [T1218]  Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
  T1218_visual-studio-nodejstools-pressanykey-renamed-execution.txt  [T1218]  Visual Studio NodejsTools PressAnyKey Renamed Execution
  vscode-code-tunnel-execution-file-indicator.txt  []  VsCode Code Tunnel Execution File Indicator
  T1546.013_vscode-powershell-profile-modification.txt  [T1546.013]  VsCode Powershell Profile Modification
  T1685_wdac-policy-file-creation-in-codeintegrity-folder.txt  [T1685]  WDAC Policy File Creation In CodeIntegrity Folder
  T1569.002_wfp-filter-added-via-registry.txt  [T1569.002,T1685]  WFP Filter Added via Registry
  T1546.003_wmi-activescripteventconsumers-activity-via-scrcons-exe-dll.txt  [T1546.003]  WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
  T1047_wmi-event-consumer-created-named-pipe.txt  [T1047]  WMI Event Consumer Created Named Pipe
  T1546.003_wmi-event-subscription.txt  [T1546.003]  WMI Event Subscription
  T1546.003_wmi-persistence.txt  [T1546.003]  WMI Persistence
  T1546.003_wmi-persistence-script-event-consumer.txt  [T1546.003]  WMI Persistence - Script Event Consumer
  T1546.003_wmi-persistence-security.txt  [T1546.003]  WMI Persistence - Security
  T1220_wmic-loading-scripting-libraries.txt  [T1220]  WMIC Loading Scripting Libraries
  T1047_wmic-remote-command-execution.txt  [T1047]  WMIC Remote Command Execution
  T1047_wmic-unquoted-services-path-lookup-powershell.txt  [T1047]  WMIC Unquoted Services Path Lookup - PowerShell
  T1059.005_wsf-jse-js-vba-vbe-file-execution-via-cscript-wscript.txt  [T1059.005,T1059.007]  WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
  T1202_wsl-child-process-anomaly.txt  [T1202,T1218]  WSL Child Process Anomaly
  weak-or-abused-passwords-in-cli.txt  []  Weak or Abused Passwords In CLI
  T1566_webdav-temporary-local-file-creation.txt  [T1566,T1584]  WebDAV Temporary Local File Creation
  T1048.003_webdav-client-execution-via-rundll32-exe.txt  [T1048.003]  WebDav Client Execution Via Rundll32.EXE
  T1685_werfaultsecure-loading-dbgcore-or-dbghelp-edr-freeze.txt  [T1685]  WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
  T1105_wget-creating-files-in-tmp-directory.txt  [T1105]  Wget Creating Files in Tmp Directory
  T1033_whoami-exe-execution-with-output-option.txt  [T1033]  Whoami.EXE Execution With Output Option
  T1059.001_winapi-function-calls-via-powershell-scripts.txt  [T1059.001,T1106]  WinAPI Function Calls Via PowerShell Scripts
  T1059.001_winapi-library-calls-via-powershell-scripts.txt  [T1059.001,T1106]  WinAPI Library Calls Via PowerShell Scripts
  T1560.001_winrar-execution-in-non-standard-folder.txt  [T1560.001]  WinRAR Execution in Non-Standard Folder
  T1547.001_winsock2-autorun-keys-modification.txt  [T1547.001]  WinSock2 Autorun Keys Modification
  winsxs-executable-file-creation-by-non-system-process.txt  []  WinSxS Executable File Creation By Non-System Process
  T1021.002_windows-admin-share-mount-via-net-exe.txt  [T1021.002]  Windows Admin Share Mount Via Net.EXE
  T1204.002_windows-appx-deployment-full-trust-package-installation.txt  [T1204.002,T1553.005]  Windows AppX Deployment Full Trust Package Installation
  T1204.002_windows-appx-deployment-unsigned-package-installation.txt  [T1204.002,T1553.005]  Windows AppX Deployment Unsigned Package Installation
  T1490_windows-backup-deleted-via-wbadmin-exe.txt  [T1490]  Windows Backup Deleted Via Wbadmin.EXE
  T1202_windows-binary-executed-from-wsl.txt  [T1202]  Windows Binary Executed From WSL
  T1555.004_windows-credential-manager-access-via-vaultcmd.txt  [T1555.004]  Windows Credential Manager Access via VaultCmd
  T1484.001_windows-default-domain-gpo-modification.txt  [T1484.001]  Windows Default Domain GPO Modification
  T1484.001_windows-default-domain-gpo-modification-via-gpme.txt  [T1484.001]  Windows Default Domain GPO Modification via GPME
  T1685_windows-defender-exclusion-list-modified.txt  [T1685]  Windows Defender Exclusion List Modified
  T1685_windows-defender-exclusion-registry-key-write-access-request.txt  [T1685]  Windows Defender Exclusion Registry Key - Write Access Requested
  T1685_windows-defender-exclusions-added.txt  [T1685]  Windows Defender Exclusions Added
  T1059_windows-defender-exclusions-added-powershell.txt  [T1059,T1685]  Windows Defender Exclusions Added - PowerShell
  T1685_windows-defender-exclusions-added-registry.txt  [T1685]  Windows Defender Exclusions Added - Registry
  T1685_windows-defender-real-time-protection-failure-restart.txt  [T1685]  Windows Defender Real-Time Protection Failure/Restart
  T1685_windows-defender-threat-detection-service-disabled.txt  [T1685]  Windows Defender Threat Detection Service Disabled
  T1685_windows-firewall-disabled-via-powershell.txt  [T1685]  Windows Firewall Disabled via PowerShell
  T1686.003_windows-firewall-profile-disabled.txt  [T1686.003]  Windows Firewall Profile Disabled
  T1047_windows-hotfix-updates-reconnaissance-via-wmic-exe.txt  [T1047]  Windows Hotfix Updates Reconnaissance Via Wmic.EXE
  windows-kernel-debugger-execution.txt  []  Windows Kernel Debugger Execution
  T1070.008_windows-mail-app-mailbox-access-via-powershell-script.txt  [T1070.008]  Windows Mail App Mailbox Access Via PowerShell Script
  T1547.009_windows-network-access-suspicious-desktop-ini-action.txt  [T1547.009]  Windows Network Access Suspicious desktop.ini Action
  T1040_windows-pcap-drivers.txt  [T1040]  Windows Pcap Drivers
  T1071.001_windows-powershell-user-agent.txt  [T1071.001]  Windows PowerShell User Agent
  T1113_windows-recall-feature-enabled-disableaidataanalysis-value-d.txt  [T1113]  Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
  T1113_windows-recall-feature-enabled-registry.txt  [T1113]  Windows Recall Feature Enabled - Registry
  T1113_windows-recall-feature-enabled-via-reg-exe.txt  [T1113]  Windows Recall Feature Enabled Via Reg.EXE
  T1490_windows-recovery-environment-disabled-via-reagentc.txt  [T1490]  Windows Recovery Environment Disabled Via Reagentc
  T1566.001_windows-registry-trust-record-modification.txt  [T1566.001]  Windows Registry Trust Record Modification
  T1113_windows-screen-capture-with-copyfromscreen.txt  [T1113]  Windows Screen Capture with CopyFromScreen
  T1547.015_windows-terminal-profile-settings-modification-by-uncommon-p.txt  [T1547.015]  Windows Terminal Profile Settings Modification By Uncommon Process
  T1112_winlogon-allowmultipletssessions-enable.txt  [T1112]  Winlogon AllowMultipleTSSessions Enable
  T1547.004_winlogon-helper-dll.txt  [T1547.004]  Winlogon Helper DLL
  T1560.001_winrar-compressing-dump-files.txt  [T1560.001]  Winrar Compressing Dump Files
  T1048_winscp-execution-from-non-standard-folder.txt  [T1048]  Winscp Execution From Non Standard Folder
  T1547.001_wow6432node-classes-autorun-keys-modification.txt  [T1547.001]  Wow6432Node Classes Autorun Keys Modification
  T1685_write-protect-for-storage-disabled.txt  [T1685]  Write Protect For Storage Disabled
  T1546.002_writing-local-admin-share.txt  [T1546.002]  Writing Local Admin Share
  T1059_writing-of-malicious-files-to-the-fonts-folder.txt  [T1059,T1211]  Writing Of Malicious Files To The Fonts Folder
  T1059_wscript-shell-run-in-commandline.txt  [T1059]  Wscript Shell Run In CommandLine
  T1218_xbap-execution-from-uncommon-locations-via-presentationhost.txt  [T1218]  XBAP Execution From Uncommon Locations Via PresentationHost.EXE
  T1047_xsl-script-execution-via-wmic-exe.txt  [T1047,T1059.005,T1059.007,T1220]  XSL Script Execution Via WMIC.EXE
  T1190_zimbra-collaboration-suite-email-server-unauthenticated-rce.txt  [T1190]  Zimbra Collaboration Suite Email Server Unauthenticated RCE
  T1074.001_zip-a-folder-with-powershell-for-staging-in-temp-powershell.txt  [T1074.001]  Zip A Folder With PowerShell For Staging In Temp  - PowerShell Module
  T1074.001_zip-a-folder-with-powershell-for-staging-in-temp-powershell_2.txt  [T1074.001]  Zip A Folder With PowerShell For Staging In Temp - PowerShell
  T1074.001_zip-a-folder-with-powershell-for-staging-in-temp-powershell_3.txt  [T1074.001]  Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
  T1098_a-member-was-added-to-a-security-enabled-global-group.txt  [T1098]  A Member Was Added to a Security-Enabled Global Group
  T1098_a-member-was-removed-from-a-security-enabled-global-group.txt  [T1098]  A Member Was Removed From a Security-Enabled Global Group
  T1098_a-security-enabled-global-group-was-deleted.txt  [T1098]  A Security-Enabled Global Group Was Deleted
  T1069.001_ad-groups-or-users-enumeration-using-powershell-poshmodule.txt  [T1069.001]  AD Groups Or Users Enumeration Using PowerShell - PoshModule
  T1069.001_ad-groups-or-users-enumeration-using-powershell-scriptblock.txt  [T1069.001]  AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
  adcs-certificate-template-configuration-vulnerability.txt  []  ADCS Certificate Template Configuration Vulnerability
  T1070.004_ads-zone-identifier-deleted.txt  [T1070.004]  ADS Zone.Identifier Deleted
  T1005_aws-ec2-vm-export-failure.txt  [T1005,T1537]  AWS EC2 VM Export Failure
  T1485_aws-eks-cluster-created-or-deleted.txt  [T1485]  AWS EKS Cluster Created or Deleted
  T1136_aws-elasticache-security-group-created.txt  [T1136,T1136.003]  AWS ElastiCache Security Group Created
  T1531_aws-elasticache-security-group-modified-or-deleted.txt  [T1531]  AWS ElastiCache Security Group Modified or Deleted
  aws-glue-development-endpoint-activity.txt  []  AWS Glue Development Endpoint Activity
  aws-new-lambda-layer-attached.txt  []  AWS New Lambda Layer Attached
  T1098_aws-route-53-domain-transfer-lock-disabled.txt  [T1098]  AWS Route 53 Domain Transfer Lock Disabled
  T1098_aws-route-53-domain-transferred-to-another-account.txt  [T1098]  AWS Route 53 Domain Transferred to Another Account
  T1537_aws-s3-data-management-tampering.txt  [T1537]  AWS S3 Data Management Tampering
  T1548_aws-sts-assumerole-misuse.txt  [T1548,T1550,T1550.001]  AWS STS AssumeRole Misuse
  T1548_aws-sts-getsessiontoken-misuse.txt  [T1548,T1550,T1550.001]  AWS STS GetSessionToken Misuse
  T1112_access-to-reg-hive-files-by-uncommon-applications.txt  [T1112]  Access To .Reg/.Hive Files By Uncommon Applications
  T1021.002_access-to-admin-network-share.txt  [T1021.002]  Access To ADMIN$ Network Share
  T1003_access-to-browser-credential-files-by-uncommon-applications.txt  [T1003]  Access To Browser Credential Files By Uncommon Applications
  T1555.003_access-to-browser-credential-files-by-uncommon-applications.txt  [T1555.003]  Access To Browser Credential Files By Uncommon Applications - Security
  T1003_access-to-chromium-browsers-sensitive-files-by-uncommon-appl.txt  [T1003]  Access To Chromium Browsers Sensitive Files By Uncommon Applications
  T1070.008_access-to-windows-outlook-mail-files-by-uncommon-application.txt  [T1070.008]  Access To Windows Outlook Mail Files By Uncommon Applications
  T1553.004_active-directory-certificate-services-denied-certificate-enr.txt  [T1553.004]  Active Directory Certificate Services Denied Certificate Enrollment Request
  T1018_active-directory-computers-enumeration-with-get-adcomputer.txt  [T1018,T1087.002]  Active Directory Computers Enumeration With Get-AdComputer
  T1069.002_active-directory-group-enumeration-with-get-adgroup.txt  [T1069.002]  Active Directory Group Enumeration With Get-AdGroup
  T1207_add-or-remove-computer-from-dc.txt  [T1207]  Add or Remove Computer from DC
  T1078.001_admin-user-remote-logon.txt  [T1078.001,T1078.002,T1078.003]  Admin User Remote Logon
  T1489_application-uninstalled.txt  [T1489]  Application Uninstalled
  T1123_audio-capture.txt  [T1123]  Audio Capture
  T1217_automated-collection-bookmarks-using-get-childitem-powershel.txt  [T1217]  Automated Collection Bookmarks Using Get-ChildItem PowerShell
  T1078.004_azure-ad-only-single-factor-authentication-required.txt  [T1078.004,T1556.006]  Azure AD Only Single Factor Authentication Required
  T1485_azure-container-registry-created-or-deleted.txt  [T1485,T1489,T1496]  Azure Container Registry Created or Deleted
  T1485_azure-kubernetes-cluster-created-or-deleted.txt  [T1485,T1489,T1496]  Azure Kubernetes Cluster Created or Deleted
  T1557_azure-sign-in-with-axios-user-agent.txt  [T1557]  Azure Sign-In With Axios User Agent
  T1197_bits-client-bitsproxy-dll-loaded-by-uncommon-process.txt  [T1197]  BITS Client BitsProxy DLL Loaded By Uncommon Process
  bash-interactive-shell.txt  []  Bash Interactive Shell
  T1218_bitlockertogo-exe-execution.txt  [T1218]  BitLockerTogo.EXE Execution
  T1685_bitbucket-project-secret-scanning-allowlist-added.txt  [T1685]  Bitbucket Project Secret Scanning Allowlist Added
  T1685_bitbucket-secret-scanning-rule-deleted.txt  [T1685]  Bitbucket Secret Scanning Rule Deleted
  T1105_browser-execution-in-headless-mode.txt  [T1105,T1564.003]  Browser Execution In Headless Mode
  T1082_cmd-shell-output-redirect.txt  [T1082]  CMD Shell Output Redirect
  cve-2023-40477-potential-exploitation-rev-file-creation.txt  []  CVE-2023-40477 Potential Exploitation - .REV File Creation
  T1083_capabilities-discovery-linux.txt  [T1083]  Capabilities Discovery - Linux
  T1546.001_change-default-file-association-via-assoc.txt  [T1546.001]  Change Default File Association Via Assoc
  T1078_cisco-bgp-authentication-failures.txt  [T1078,T1110,T1557]  Cisco BGP Authentication Failures
  T1005_cisco-collect-data.txt  [T1005,T1087.001,T1552.001]  Cisco Collect Data
  T1016_cisco-discovery.txt  [T1016,T1018,T1033,T1049,T1057,T1082,T1083,T1124,T1201]  Cisco Discovery
  T1078_cisco-ldp-authentication-failures.txt  [T1078,T1110,T1557]  Cisco LDP Authentication Failures
  T1074_cisco-stage-data.txt  [T1074,T1105,T1560.001]  Cisco Stage Data
  cleartext-protocol-usage.txt  []  Cleartext Protocol Usage
  cleartext-protocol-usage-via-netflow.txt  []  Cleartext Protocol Usage Via Netflow
  T1115_clipboard-collection-of-image-data-with-xclip-tool.txt  [T1115]  Clipboard Collection of Image Data with Xclip Tool
  T1115_clipboard-collection-with-xclip-tool.txt  [T1115]  Clipboard Collection with Xclip Tool
  T1115_clipboard-collection-with-xclip-tool-auditd.txt  [T1115]  Clipboard Collection with Xclip Tool - Auditd
  codeintegrity-unmet-signing-level-requirements-by-file-under.txt  []  CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
  T1036_codepage-modification-via-mode-com.txt  [T1036]  CodePage Modification Via MODE.COM
  command-executed-via-run-dialog-box-registry.txt  []  Command Executed Via Run Dialog Box - Registry
  T1560_compress-archive-cmdlet-execution.txt  [T1560]  Compress-Archive Cmdlet Execution
  T1560_compressed-file-creation-via-tar-exe.txt  [T1560,T1560.001]  Compressed File Creation Via Tar.EXE
  T1560_compressed-file-extraction-via-tar-exe.txt  [T1560,T1560.001]  Compressed File Extraction Via Tar.EXE
  T1090_connection-proxy.txt  [T1090]  Connection Proxy
  T1082_container-residence-discovery-via-proc-virtual-fs.txt  [T1082]  Container Residence Discovery Via Proc Virtual FS
  T1611_container-with-a-hostpath-mount-created.txt  [T1611]  Container With A hostPath Mount Created
  T1136.001_creation-of-a-local-user-account.txt  [T1136.001]  Creation Of A Local User Account
  T1587.001_creation-of-an-executable-by-an-executable.txt  [T1587.001]  Creation of an Executable by an Executable
  T1007_crontab-enumeration.txt  [T1007]  Crontab Enumeration
  T1105_curl-usage-on-linux.txt  [T1105]  Curl Usage on Linux
  T1105_curl-exe-execution.txt  [T1105]  Curl.EXE Execution
  T1485_dd-file-overwrite.txt  [T1485]  DD File Overwrite
  dmp-hdmp-file-creation.txt  []  DMP/HDMP File Creation
  T1078.002_dmsa-link-attributes-modified.txt  [T1078.002,T1098]  DMSA Link Attributes Modified
  T1496_dns-events-related-to-mining-pools.txt  [T1496,T1569.002]  DNS Events Related To Mining Pools
  T1071.001_dns-query-request-by-quickassist-exe.txt  [T1071.001,T1210]  DNS Query Request By QuickAssist.EXE
  T1056_dns-query-request-to-onelaunch-update-service.txt  [T1056]  DNS Query Request To OneLaunch Update Service
  T1567.002_dns-query-to-ufile-io.txt  [T1567.002]  DNS Query To Ufile.io
  T1567.002_dns-query-to-ufile-io-dns-client.txt  [T1567.002]  DNS Query To Ufile.io - DNS Client
  T1560.001_data-compressed.txt  [T1560.001]  Data Compressed
  T1115_data-copied-to-clipboard-via-clip-exe.txt  [T1115]  Data Copied To Clipboard Via Clip.EXE
  T1027_decode-base64-encoded-text.txt  [T1027]  Decode Base64 Encoded Text
  T1027_decode-base64-encoded-text-macos.txt  [T1027]  Decode Base64 Encoded Text -MacOs
  T1498_deployment-deleted-from-kubernetes-cluster.txt  [T1498]  Deployment Deleted From Kubernetes Cluster
  T1083_dirlister-execution.txt  [T1083]  DirLister Execution
  T1070.004_directory-removal-via-rmdir.txt  [T1070.004]  Directory Removal Via Rmdir
  T1124_discovery-of-a-system-time.txt  [T1124]  Discovery of a System Time
  T1082_docker-container-discovery-via-dockerenv-listing.txt  [T1082]  Docker Container Discovery Via Dockerenv Listing
  T1203_download-from-suspicious-tld-blacklist.txt  [T1203,T1204.002,T1566]  Download From Suspicious TLD - Blacklist
  T1203_download-from-suspicious-tld-whitelist.txt  [T1203,T1204.002,T1566]  Download From Suspicious TLD - Whitelist
  T1027.004_dynamic-csharp-compile-artefact.txt  [T1027.004]  Dynamic CSharp Compile Artefact
  T1112_etw-logging-disabled-for-scm.txt  [T1112,T1685]  ETW Logging Disabled For SCM
  T1112_etw-logging-disabled-for-rpcrt4-dll.txt  [T1112,T1685]  ETW Logging Disabled For rpcrt4.dll
  T1528_end-user-consent.txt  [T1528]  End User Consent
  T1012_exports-registry-key-to-a-file.txt  [T1012]  Exports Registry Key To a File
  T1091_external-disk-drive-or-usb-storage-device-was-recognized-by.txt  [T1091,T1200]  External Disk Drive Or USB Storage Device Was Recognized By The System
  T1078.004_failed-authentications-from-countries-you-do-not-operate-out.txt  [T1078.004,T1110]  Failed Authentications From Countries You Do Not Operate Out Of
  T1217_file-and-subfolder-enumeration-via-dir-command.txt  [T1217]  File And SubFolder Enumeration Via Dir Command
  T1070.006_file-creation-date-changed-to-another-year.txt  [T1070.006]  File Creation Date Changed to Another Year
  T1070.004_file-deletion-via-del.txt  [T1070.004]  File Deletion Via Del
  T1222.002_file-or-folder-permissions-change.txt  [T1222.002]  File or Folder Permissions Change
  T1560.001_files-added-to-an-archive-using-rar-exe.txt  [T1560.001]  Files Added To An Archive Using Rar.EXE
  T1016_firewall-configuration-discovery-via-netsh-exe.txt  [T1016]  Firewall Configuration Discovery Via Netsh.EXE
  T1686.003_firewall-rule-modified-in-the-windows-firewall-exception-lis.txt  [T1686.003]  Firewall Rule Modified In The Windows Firewall Exception List
  T1120_fsutil-drive-enumeration.txt  [T1120]  Fsutil Drive Enumeration
  T1056.002_gui-input-capture-macos.txt  [T1056.002]  GUI Input Capture - macOS
  T1553.001_gatekeeper-bypass-via-xattr.txt  [T1553.001]  Gatekeeper Bypass via Xattr
  github-repository-archive-status-changed.txt  []  GitHub Repository Archive Status Changed
  T1567.001_github-repository-pages-site-changed-to-public.txt  [T1567.001]  GitHub Repository Pages Site Changed to Public
  T1078.004_github-new-secret-created.txt  [T1078.004]  Github New Secret Created
  T1685_github-push-protection-bypass-detected.txt  [T1685]  Github Push Protection Bypass Detected
  T1078.004_github-self-hosted-runner-changes-detected.txt  [T1078.004,T1213.003,T1526]  Github Self Hosted Runner Changes Detected
  google-cloud-storage-buckets-enumeration.txt  []  Google Cloud Storage Buckets Enumeration
  T1078_guest-account-enabled-via-sysadminctl.txt  [T1078,T1078.001]  Guest Account Enabled Via Sysadminctl
  T1218.001_hh-exe-execution.txt  [T1218.001]  HH.EXE Execution
  T1566.001_html-file-opened-from-download-folder.txt  [T1566.001,T1598.002]  HTML File Opened From Download Folder
  T1564.001_hidden-files-and-directories.txt  [T1564.001]  Hidden Files and Directories
  host-without-firewall.txt  []  Host Without Firewall
  T1078_huawei-bgp-authentication-failures.txt  [T1078,T1110,T1557]  Huawei BGP Authentication Failures
  import-new-module-via-powershell-commandline.txt  []  Import New Module Via PowerShell CommandLine
  T1218_indirect-command-execution-by-program-compatibility-wizard.txt  [T1218]  Indirect Command Execution By Program Compatibility Wizard
  T1105_insensitive-subfolder-search-via-findstr-exe.txt  [T1105,T1218,T1552.001,T1564.004]  Insensitive Subfolder Search Via Findstr.EXE
  T1553.004_install-root-certificate.txt  [T1553.004]  Install Root Certificate
  T1003_interesting-service-enumeration-via-sc-exe.txt  [T1003]  Interesting Service Enumeration Via Sc.EXE
  jamf-mdm-execution.txt  []  JAMF MDM Execution
  T1127_jscript-compiler-execution.txt  [T1127]  JScript Compiler Execution
  T1078_juniper-bgp-missing-md5.txt  [T1078,T1110,T1557]  Juniper BGP Missing MD5
  T1552.007_kubernetes-secrets-enumeration.txt  [T1552.007]  Kubernetes Secrets Enumeration
  kubernetes-unauthorized-or-unauthenticated-access.txt  []  Kubernetes Unauthorized or Unauthenticated Access
  T1083_linux-capabilities-discovery.txt  [T1083,T1548]  Linux Capabilities Discovery
  T1548_linux-doas-tool-execution.txt  [T1548]  Linux Doas Tool Execution
  T1046_linux-network-service-scanning-auditd.txt  [T1046]  Linux Network Service Scanning - Auditd
  T1046_linux-network-service-scanning-tools-execution.txt  [T1046]  Linux Network Service Scanning Tools Execution
  T1070_linux-package-uninstall.txt  [T1070]  Linux Package Uninstall
  T1018_linux-remote-system-discovery.txt  [T1018]  Linux Remote System Discovery
  T1548_linux-setgid-capability-set-on-a-binary-via-setcap-utility.txt  [T1548,T1554]  Linux Setgid Capability Set on a Binary via Setcap Utility
  T1548_linux-setuid-capability-set-on-a-binary-via-setcap-utility.txt  [T1548,T1554]  Linux Setuid Capability Set on a Binary via Setcap Utility
  T1068_linux-sudo-chroot-execution.txt  [T1068]  Linux Sudo Chroot Execution
  T1486_load-of-rstrtmgr-dll-by-an-uncommon-process.txt  [T1486,T1685]  Load Of RstrtMgr.DLL By An Uncommon Process
  T1033_local-accounts-discovery.txt  [T1033,T1087.001]  Local Accounts Discovery
  T1016_local-firewall-rules-enumeration-via-netfirewallrule-cmdlet.txt  [T1016,T1518.001]  Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
  T1069.001_local-groups-discovery-linux.txt  [T1069.001]  Local Groups Discovery - Linux
  T1069.001_local-groups-reconnaissance-via-wmic-exe.txt  [T1069.001]  Local Groups Reconnaissance Via Wmic.EXE
  T1087.001_local-system-accounts-discovery-linux.txt  [T1087.001]  Local System Accounts Discovery - Linux
  T1087.001_local-system-accounts-discovery-macos.txt  [T1087.001]  Local System Accounts Discovery - MacOs
  T1136.001_local-user-creation.txt  [T1136.001]  Local User Creation
  T1110_mssql-server-failed-logon.txt  [T1110]  MSSQL Server Failed Logon
  T1046_macos-network-service-scanning.txt  [T1046]  MacOS Network Service Scanning
  T1218_malicious-windows-script-components-file-execution-by-taef-d.txt  [T1218]  Malicious Windows Script Components File Execution by TAEF Detection
  T1070.005_maxmpxct-registry-value-changed.txt  [T1070.005]  MaxMpxCt Registry Value Changed
  T1078_measurable-increase-of-successful-authentications.txt  [T1078]  Measurable Increase Of Successful Authentications
  T1204.002_microsoft-excel-add-in-loaded.txt  [T1204.002]  Microsoft Excel Add-In Loaded
  T1204.002_microsoft-word-add-in-loaded.txt  [T1204.002]  Microsoft Word Add-In Loaded
  T1218.007_msiexec-exe-initiated-network-connection-over-http.txt  [T1218.007]  Msiexec.EXE Initiated Network Connection Over HTTP
  T1219.002_mstsc-exe-execution-with-local-rdp-file.txt  [T1219.002]  Mstsc.EXE Execution With Local RDP File
  T1003.003_ntds-dit-created.txt  [T1003.003]  NTDS.DIT Created
  T1550.002_ntlm-logon.txt  [T1550.002]  NTLM Logon
  named-pipe-created-via-mkfifo.txt  []  Named Pipe Created Via Mkfifo
  T1007_net-exe-execution.txt  [T1007,T1018,T1021.002,T1049,T1069.001,T1069.002,T1087.001,T1087.002,T1135,T1201]  Net.EXE Execution
  T1059.001_network-connection-initiated-by-powershell-process.txt  [T1059.001]  Network Connection Initiated By PowerShell Process
  T1567.002_network-connection-initiated-to-mega-nz.txt  [T1567.002]  Network Connection Initiated To Mega.nz
  T1040_network-sniffing-linux.txt  [T1040]  Network Sniffing - Linux
  T1197_new-bits-job-created-via-bitsadmin.txt  [T1197]  New BITS Job Created Via Bitsadmin
  T1197_new-bits-job-created-via-powershell.txt  [T1197]  New BITS Job Created Via PowerShell
  T1053.003_new-cron-file-created.txt  [T1053.003]  New Cron File Created
  new-kind-of-network-nkn-detection.txt  []  New Kind of Network (NKN) Detection
  T1136_new-kubernetes-service-account-created.txt  [T1136]  New Kubernetes Service Account Created
  T1686.001_new-network-acl-entry-added.txt  [T1686.001]  New Network ACL Entry Added
  new-odbc-driver-registered.txt  []  New ODBC Driver Registered
  T1036_new-process-created-via-taskmgr-exe.txt  [T1036]  New Process Created Via Taskmgr.EXE
  T1543.003_new-service-creation-using-powershell.txt  [T1543.003]  New Service Creation Using PowerShell
  T1543.003_new-service-creation-using-sc-exe.txt  [T1543.003]  New Service Creation Using Sc.EXE
  T1686.003_new-windows-firewall-rule-added-via-new-netfirewallrule-cmdl.txt  [T1686.003]  New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
  T1686.003_new-windows-firewall-rule-added-via-new-netfirewallrule-cmdl_2.txt  [T1686.003]  New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
  T1016_nltest-exe-execution.txt  [T1016,T1018,T1482]  Nltest.EXE Execution
  T1558.003_no-suitable-encryption-key-found-for-generating-kerberos-tic.txt  [T1558.003]  No Suitable Encryption Key Found For Generating Kerberos Ticket
  T1059.007_nodejs-execution-of-javascript-file.txt  [T1059.007]  NodeJS Execution of JavaScript File
  T1059.001_non-interactive-powershell-process-spawned.txt  [T1059.001]  Non Interactive PowerShell Process Spawned
  T1083_notepad-password-files-discovery.txt  [T1083]  Notepad Password Files Discovery
  T1082_os-architecture-discovery-via-grep.txt  [T1082]  OS Architecture Discovery Via Grep
  T1566.001_office-macro-file-creation.txt  [T1566.001]  Office Macro File Creation
  T1566.001_office-macro-file-download.txt  [T1566.001]  Office Macro File Download
  okta-password-health-report-query.txt  []  Okta Password Health Report Query
  okta-policy-modified-or-deleted.txt  []  Okta Policy Modified or Deleted
  onelogin-user-account-locked.txt  []  OneLogin User Account Locked
  onelogin-user-assumed-another-user.txt  []  OneLogin User Assumed Another User
  T1550_outgoing-logon-with-new-credentials.txt  [T1550]  Outgoing Logon with New Credentials
  T1137_outlook-task-note-reminder-received.txt  [T1137]  Outlook Task/Note Reminder Received
  T1485_overwriting-the-file-with-dev-zero-or-null.txt  [T1485]  Overwriting the File with Dev Zero or Null
  T1552.004_pfx-file-creation.txt  [T1552.004]  PFX File Creation
  T1018_pua-adidnsdump-execution.txt  [T1018]  PUA - Adidnsdump Execution
  T1588.002_pua-sysinternal-tool-execution-registry.txt  [T1588.002]  PUA - Sysinternal Tool Execution - Registry
  T1201_password-policy-discovery-linux.txt  [T1201]  Password Policy Discovery - Linux
  T1201_password-policy-discovery-with-get-addefaultdomainpasswordpo.txt  [T1201]  Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
  T1560.001_password-protected-compressed-file-extraction-via-7zip.txt  [T1560.001]  Password Protected Compressed File Extraction Via 7Zip
  T1574.001_potential-7za-dll-sideloading.txt  [T1574.001]  Potential 7za.DLL Sideloading
  T1580_potential-bucket-enumeration-on-aws.txt  [T1580,T1619]  Potential Bucket Enumeration on AWS
  T1082_potential-container-discovery-via-inodes-listing.txt  [T1082]  Potential Container Discovery Via Inodes Listing
  T1027_potential-encoded-powershell-patterns-in-commandline.txt  [T1027,T1059.001]  Potential Encoded PowerShell Patterns In CommandLine
  T1588.002_potential-execution-of-sysinternals-tools.txt  [T1588.002]  Potential Execution of Sysinternals Tools
  potential-exploitation-of-cve-2022-21919-or-cve-2021-34484-f.txt  []  Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
  potential-file-override-append-via-set-command.txt  []  Potential File Override/Append Via SET Command
  T1027_potential-powershell-obfuscation-using-alias-cmdlets.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Using Alias Cmdlets
  T1027_potential-powershell-obfuscation-using-character-join.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Using Character Join
  T1218_potential-proxy-execution-via-explorer-exe-from-shell-proces.txt  [T1218]  Potential Proxy Execution Via Explorer.EXE From Shell Process
  T1112_potential-raspberry-robin-registry-set-internet-settings-zon.txt  [T1112]  Potential Raspberry Robin Registry Set Internet Settings ZoneMap
  T1027_potentially-suspicious-long-filename-pattern-linux.txt  [T1027,T1059.004]  Potentially Suspicious Long Filename Pattern - Linux
  T1102_potentially-suspicious-network-connection-to-notion-api.txt  [T1102]  Potentially Suspicious Network Connection To Notion API
  potentially-suspicious-shell-script-creation-in-profile-fold.txt  []  Potentially Suspicious Shell Script Creation in Profile Folder
  T1059.001_powershell-download-via-net-webclient-powershell-classic.txt  [T1059.001,T1105]  PowerShell Download Via Net.WebClient - PowerShell Classic
  powershell-module-file-created.txt  []  PowerShell Module File Created
  T1222_powershell-script-change-permission-via-set-acl-psscript.txt  [T1222]  PowerShell Script Change Permission Via Set-Acl - PsScript
  powershell-script-dropped-via-powershell-exe.txt  []  PowerShell Script Dropped Via PowerShell.EXE
  powershell-script-execution-policy-enabled.txt  []  PowerShell Script Execution Policy Enabled
  T1020_powershell-script-with-file-upload-capabilities.txt  [T1020]  PowerShell Script With File Upload Capabilities
  T1120_powershell-suspicious-win32-pnpentity.txt  [T1120]  Powershell Suspicious Win32_PnPEntity
  T1505.004_previously-installed-iis-module-was-removed.txt  [T1505.004,T1685.001]  Previously Installed IIS Module Was Removed
  T1611_privileged-container-deployed.txt  [T1611]  Privileged Container Deployed
  T1057_process-discovery.txt  [T1057]  Process Discovery
  T1105_process-execution-from-webdav-share.txt  [T1105]  Process Execution From WebDAV Share
  T1489_process-terminated-via-taskkill.txt  [T1489]  Process Terminated Via Taskkill
  T1569.002_psexec-default-named-pipe.txt  [T1569.002]  PsExec Default Named Pipe
  T1569.002_psexec-service-file-creation.txt  [T1569.002]  PsExec Service File Creation
  T1219.002_quickassist-execution.txt  [T1219.002]  QuickAssist Execution
  T1069.003_rbac-permission-enumeration-attempt.txt  [T1069.003,T1087.004]  RBAC Permission Enumeration Attempt
  T1218.009_regasm-exe-execution-without-commandline-flags-or-files.txt  [T1218.009]  RegAsm.EXE Execution Without CommandLine Flags or Files
  T1112_registry-modification-via-regini-exe.txt  [T1112]  Registry Modification Via Regini.EXE
  T1059.003_remote-access-tool-screenconnect-command-execution.txt  [T1059.003]  Remote Access Tool - ScreenConnect Command Execution
  T1059.003_remote-access-tool-screenconnect-file-transfer.txt  [T1059.003]  Remote Access Tool - ScreenConnect File Transfer
  T1059.003_remote-access-tool-screenconnect-remote-command-execution.txt  [T1059.003]  Remote Access Tool - ScreenConnect Remote Command Execution
  T1059.003_remote-access-tool-screenconnect-temporary-file.txt  [T1059.003]  Remote Access Tool - ScreenConnect Temporary File
  T1133_remote-access-tool-team-viewer-session-started-on-linux-host.txt  [T1133]  Remote Access Tool - Team Viewer Session Started On Linux Host
  T1133_remote-access-tool-team-viewer-session-started-on-macos-host.txt  [T1133]  Remote Access Tool - Team Viewer Session Started On MacOS Host
  T1133_remote-access-tool-team-viewer-session-started-on-windows-ho.txt  [T1133]  Remote Access Tool - Team Viewer Session Started On Windows Host
  T1105_remote-file-copy.txt  [T1105]  Remote File Copy
  T1021.006_remote-powershell-session-ps-classic.txt  [T1021.006,T1059.001]  Remote PowerShell Session (PS Classic)
  T1036.003_renamed-powershell-under-powershell-channel.txt  [T1036.003,T1059.001]  Renamed Powershell Under Powershell Channel
  T1491.001_replace-desktop-wallpaper-by-powershell.txt  [T1491.001]  Replace Desktop Wallpaper by Powershell
  T1112_run-once-task-execution-as-configured-in-registry.txt  [T1112]  Run Once Task Execution as Configured in Registry
  T1007_sc-exe-query-execution.txt  [T1007]  SC.EXE Query Execution
  snake-malware-installer-name-indicators.txt  []  SNAKE Malware Installer Name Indicators
  T1053.005_scheduled-task-created-filecreation.txt  [T1053.005]  Scheduled Task Created - FileCreation
  T1053.005_scheduled-task-created-registry.txt  [T1053.005]  Scheduled Task Created - Registry
  T1053.005_scheduled-task-creation-via-schtasks-exe.txt  [T1053.005]  Scheduled Task Creation Via Schtasks.EXE
  T1053.005_scheduled-task-deletion.txt  [T1053.005]  Scheduled Task Deletion
  T1053.002_scheduled-task-job-at.txt  [T1053.002]  Scheduled Task/Job At
  T1113_screen-capture-macos.txt  [T1113]  Screen Capture - macOS
  T1113_screen-capture-with-import-tool.txt  [T1113]  Screen Capture with Import Tool
  T1113_screen-capture-with-xwd.txt  [T1113]  Screen Capture with Xwd
  T1518.001_security-software-discovery-linux.txt  [T1518.001]  Security Software Discovery - Linux
  T1574.011_service-registry-key-read-access-request.txt  [T1574.011]  Service Registry Key Read Access Request
  T1543.002_service-reload-or-start-linux.txt  [T1543.002]  Service Reload or Start - Linux
  T1564.001_set-files-as-system-files-using-attrib-exe.txt  [T1564.001]  Set Files as System Files Using Attrib.EXE
  T1548.001_setuid-and-setgid.txt  [T1548.001]  Setuid and Setgid
  T1018_share-and-session-enumeration-using-net-exe.txt  [T1018]  Share And Session Enumeration Using Net.EXE
  shell-context-menu-command-tampering.txt  []  Shell Context Menu Command Tampering
  T1078.004_sign-ins-by-unknown-devices.txt  [T1078.004]  Sign-ins by Unknown Devices
  T1036.006_space-after-filename-macos.txt  [T1036.006]  Space After Filename - macOS
  T1543.003_special-file-creation-via-mknod-syscall.txt  [T1543.003]  Special File Creation via Mknod Syscall
  T1030_split-a-file-into-pieces.txt  [T1030]  Split A File Into Pieces
  T1030_split-a-file-into-pieces-linux.txt  [T1030]  Split A File Into Pieces - Linux
  T1569.002_start-windows-service-via-net-exe.txt  [T1569.002]  Start Windows Service Via Net.EXE
  T1037.005_startup-item-file-created-macos.txt  [T1037.005]  Startup Item File Created - MacOS
  T1027.003_steganography-extract-files-with-steghide.txt  [T1027.003]  Steganography Extract Files with Steghide
  T1027.003_steganography-hide-files-with-steghide.txt  [T1027.003]  Steganography Hide Files with Steghide
  T1027.003_steganography-hide-zip-information-in-picture-file.txt  [T1027.003]  Steganography Hide Zip Information in Picture File
  T1027.003_steganography-unzip-hidden-information-from-picture-file.txt  [T1027.003]  Steganography Unzip Hidden Information From Picture File
  T1489_stop-windows-service-via-net-exe.txt  [T1489]  Stop Windows Service Via Net.EXE
  T1489_stop-windows-service-via-powershell-stop-service.txt  [T1489]  Stop Windows Service Via PowerShell Stop-Service
  T1489_stop-windows-service-via-sc-exe.txt  [T1489]  Stop Windows Service Via Sc.EXE
  T1047_successful-account-login-via-wmi.txt  [T1047]  Successful Account Login Via WMI
  T1204.002_successful-msix-appx-package-installation.txt  [T1204.002]  Successful MSIX/AppX Package Installation
  T1110.001_suspicious-connection-to-remote-account.txt  [T1110.001]  Suspicious Connection to Remote Account
  T1059.007_suspicious-deno-file-written-from-remote-source.txt  [T1059.007,T1105,T1204]  Suspicious Deno File Written from Remote Source
  T1082_suspicious-execution-of-hostname.txt  [T1082]  Suspicious Execution of Hostname
  T1082_suspicious-execution-of-systeminfo.txt  [T1082]  Suspicious Execution of Systeminfo
  T1217_suspicious-file-access-to-browser-credential-storage.txt  [T1217,T1555.003]  Suspicious File Access to Browser Credential Storage
  T1615_suspicious-gpo-discovery-with-get-gpo.txt  [T1615]  Suspicious GPO Discovery With Get-GPO
  T1069.001_suspicious-get-information-for-smb-share.txt  [T1069.001]  Suspicious Get Information for SMB Share
  T1069.001_suspicious-get-information-for-smb-share-powershell-module.txt  [T1069.001]  Suspicious Get Information for SMB Share - PowerShell Module
  T1069.001_suspicious-get-local-groups-information.txt  [T1069.001]  Suspicious Get Local Groups Information
  T1069.001_suspicious-get-local-groups-information-powershell.txt  [T1069.001]  Suspicious Get Local Groups Information - PowerShell
  T1020_suspicious-inbox-forwarding.txt  [T1020]  Suspicious Inbox Forwarding
  T1553.005_suspicious-mount-diskimage.txt  [T1553.005]  Suspicious Mount-DiskImage
  T1016_suspicious-network-command.txt  [T1016]  Suspicious Network Command
  T1056_suspicious-network-communication-with-ipfs.txt  [T1056]  Suspicious Network Communication With IPFS
  T1033_suspicious-powershell-get-current-user.txt  [T1033]  Suspicious PowerShell Get Current User
  T1057_suspicious-process-discovery-with-get-process.txt  [T1057]  Suspicious Process Discovery With Get-Process
  T1082_suspicious-query-of-machineguid.txt  [T1082]  Suspicious Query of MachineGUID
  T1573_suspicious-ssl-connection.txt  [T1573]  Suspicious SSL Connection
  T1217_suspicious-where-execution.txt  [T1217]  Suspicious Where Execution
  sysinternals-tools-appx-versions-execution.txt  []  Sysinternals Tools AppX Versions Execution
  T1113_system-drawing-dll-load.txt  [T1113]  System Drawing DLL Load
  T1057_system-info-discovery-via-sysinfo-syscall.txt  [T1057,T1082]  System Info Discovery via Sysinfo Syscall
  T1082_system-information-discovery-auditd.txt  [T1082]  System Information Discovery - Auditd
  T1082_system-information-discovery-via-wmic-exe.txt  [T1082]  System Information Discovery Via Wmic.EXE
  T1082_system-information-discovery-via-registry-queries.txt  [T1082]  System Information Discovery via Registry Queries
  T1518.001_system-integrity-protection-sip-enumeration.txt  [T1518.001]  System Integrity Protection (SIP) Enumeration
  T1049_system-network-connections-discovery-linux.txt  [T1049]  System Network Connections Discovery - Linux
  T1049_system-network-connections-discovery-via-net-exe.txt  [T1049]  System Network Connections Discovery Via Net.EXE
  T1033_system-owner-or-user-discovery-linux.txt  [T1033]  System Owner or User Discovery - Linux
  T1048_tap-driver-installation-security.txt  [T1048]  Tap Driver Installation - Security
  T1053.005_task-scheduler-dll-loaded-by-application-located-in-potentia.txt  [T1053.005]  Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
  T1070.004_teamviewer-log-file-deleted.txt  [T1070.004]  TeamViewer Log File Deleted
  T1686.003_the-windows-defender-firewall-service-failed-to-load-group-p.txt  [T1686.003]  The Windows Defender Firewall Service Failed To Load Group Policy
  T1200_usb-device-plugged.txt  [T1200]  USB Device Plugged
  T1552.001_unattend-xml-file-access-attempt.txt  [T1552.001]  Unattend.XML File Access Attempt
  T1070.006_unauthorized-system-time-modification.txt  [T1070.006]  Unauthorized System Time Modification
  T1055.011_uncommon-process-access-rights-for-target-image.txt  [T1055.011]  Uncommon Process Access Rights For Target Image
  T1070.005_unmount-share-via-net-exe.txt  [T1070.005]  Unmount Share Via Net.EXE
  T1059.001_unusually-long-powershell-commandline.txt  [T1059.001]  Unusually Long PowerShell CommandLine
  T1049_use-get-nettcpconnection.txt  [T1049]  Use Get-NetTCPConnection
  T1049_use-get-nettcpconnection-powershell-module.txt  [T1049]  Use Get-NetTCPConnection - PowerShell Module
  T1574.001_use-of-hidden-paths-or-files.txt  [T1574.001]  Use Of Hidden Paths Or Files
  T1070.004_use-of-remove-item-to-delete-file-scriptblock.txt  [T1070.004]  Use Of Remove-Item to Delete File - ScriptBlock
  T1564_virtualbox-driver-installation-or-starting-of-vms.txt  [T1564,T1564.006]  Virtualbox Driver Installation or Starting of VMs
  T1003.002_volume-shadow-copy-mount.txt  [T1003.002]  Volume Shadow Copy Mount
  T1068_vulnerable-driver-load-by-name.txt  [T1068,T1543.003]  Vulnerable Driver Load By Name
  T1047_wmi-module-loaded-by-uncommon-process.txt  [T1047]  WMI Module Loaded By Uncommon Process
  T1048.003_webdav-put-request.txt  [T1048.003]  WebDav Put Request
  T1686.003_windows-defender-firewall-has-been-reset-to-its-default-conf.txt  [T1686.003]  Windows Defender Firewall Has Been Reset To Its Default Configuration
  T1685_windows-defender-submit-sample-feature-disabled.txt  [T1685]  Windows Defender Submit Sample Feature Disabled
  T1685.001_windows-event-auditing-disabled.txt  [T1685.001]  Windows Event Auditing Disabled
  T1686.003_windows-firewall-settings-have-been-changed.txt  [T1686.003]  Windows Firewall Settings Have Been Changed
  T1204.002_windows-msix-package-support-framework-ai-stubs-execution.txt  [T1204.002,T1218,T1553.005]  Windows MSIX Package Support Framework AI_STUBS Execution
  windows-service-terminated-with-error.txt  []  Windows Service Terminated With Error
  T1021.002_windows-share-mount-via-net-exe.txt  [T1021.002]  Windows Share Mount Via Net.EXE
  winget-admin-settings-modification.txt  []  Winget Admin Settings Modification
  T1059.001_bxor-operator-usage-in-powershell-command-line-powershell-cl.txt  [T1059.001]  bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
  T1027.001_failed-code-integrity-checks.txt  [T1027.001]  Failed Code Integrity Checks
  T1070.004_file-deletion.txt  [T1070.004]  File Deletion
  T1083_file-and-directory-discovery-linux.txt  [T1083]  File and Directory Discovery - Linux
  T1083_file-and-directory-discovery-macos.txt  [T1083]  File and Directory Discovery - MacOS
  T1069.001_local-groups-discovery-macos.txt  [T1069.001]  Local Groups Discovery - MacOs
  locked-workstation.txt  []  Locked Workstation
  T1018_macos-remote-system-discovery.txt  [T1018]  Macos Remote System Discovery
  T1040_network-sniffing-macos.txt  [T1040]  Network Sniffing - MacOs
  T1204.002_new-application-in-appcompat.txt  [T1204.002]  New Application in AppCompat
  T1136.003_new-github-organization-member-added.txt  [T1136.003]  New Github Organization Member Added
  new-okta-user-created.txt  []  New Okta User Created
  T1059.001_new-powershell-instance-created.txt  [T1059.001]  New PowerShell Instance Created
  T1553_potential-boinc-software-execution-uc-berkeley-signature.txt  [T1553]  Potential BOINC Software Execution (UC-Berkeley Signature)
  T1140_powershell-decompress-commands.txt  [T1140]  PowerShell Decompress Commands
  T1202_suspicious-high-integritylevel-conhost-legacy-option.txt  [T1202]  Suspicious High IntegrityLevel Conhost Legacy Option
  T1057_suspicious-tasklist-discovery-command.txt  [T1057]  Suspicious Tasklist Discovery Command
  T1082_system-information-discovery.txt  [T1082]  System Information Discovery
  T1049_system-network-connections-discovery-macos.txt  [T1049]  System Network Connections Discovery - MacOs
  T1016_system-network-discovery-linux.txt  [T1016]  System Network Discovery - Linux
  T1016_system-network-discovery-macos.txt  [T1016]  System Network Discovery - macOS
  T1529_system-shutdown-reboot-linux.txt  [T1529]  System Shutdown/Reboot - Linux
  T1529_system-shutdown-reboot-macos.txt  [T1529]  System Shutdown/Reboot - MacOs
  T1082_system-and-hardware-information-discovery.txt  [T1082]  System and Hardware Information Discovery
  T1531_user-logoff-event.txt  [T1531]  User Logoff Event
  T1003.002_vssaudit-security-event-source-registration.txt  [T1003.002]  VSSAudit Security Event Source Registration
  windows-defender-malware-detection-history-deletion.txt  []  Windows Defender Malware Detection History Deletion
  T1574_windows-spooler-service-suspicious-binary-load.txt  [T1574]  Windows Spooler Service Suspicious Binary Load
  T1584_windows-update-error.txt  [T1584]  Windows Update Error
