threatengine.sh Sigma export
backend: carbon_black (one .txt per rule, the rendered query)
rules: 328

files:
  T1098_a-member-was-added-to-a-security-enabled-global-group.txt  [T1098]  A Member Was Added to a Security-Enabled Global Group
  T1098_a-member-was-removed-from-a-security-enabled-global-group.txt  [T1098]  A Member Was Removed From a Security-Enabled Global Group
  T1098_a-security-enabled-global-group-was-deleted.txt  [T1098]  A Security-Enabled Global Group Was Deleted
  T1069.001_ad-groups-or-users-enumeration-using-powershell-poshmodule.txt  [T1069.001]  AD Groups Or Users Enumeration Using PowerShell - PoshModule
  T1069.001_ad-groups-or-users-enumeration-using-powershell-scriptblock.txt  [T1069.001]  AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
  adcs-certificate-template-configuration-vulnerability.txt  []  ADCS Certificate Template Configuration Vulnerability
  T1070.004_ads-zone-identifier-deleted.txt  [T1070.004]  ADS Zone.Identifier Deleted
  T1005_aws-ec2-vm-export-failure.txt  [T1005,T1537]  AWS EC2 VM Export Failure
  T1485_aws-eks-cluster-created-or-deleted.txt  [T1485]  AWS EKS Cluster Created or Deleted
  T1136_aws-elasticache-security-group-created.txt  [T1136,T1136.003]  AWS ElastiCache Security Group Created
  T1531_aws-elasticache-security-group-modified-or-deleted.txt  [T1531]  AWS ElastiCache Security Group Modified or Deleted
  aws-glue-development-endpoint-activity.txt  []  AWS Glue Development Endpoint Activity
  aws-new-lambda-layer-attached.txt  []  AWS New Lambda Layer Attached
  T1098_aws-route-53-domain-transfer-lock-disabled.txt  [T1098]  AWS Route 53 Domain Transfer Lock Disabled
  T1098_aws-route-53-domain-transferred-to-another-account.txt  [T1098]  AWS Route 53 Domain Transferred to Another Account
  T1537_aws-s3-data-management-tampering.txt  [T1537]  AWS S3 Data Management Tampering
  T1548_aws-sts-assumerole-misuse.txt  [T1548,T1550,T1550.001]  AWS STS AssumeRole Misuse
  T1548_aws-sts-getsessiontoken-misuse.txt  [T1548,T1550,T1550.001]  AWS STS GetSessionToken Misuse
  T1112_access-to-reg-hive-files-by-uncommon-applications.txt  [T1112]  Access To .Reg/.Hive Files By Uncommon Applications
  T1021.002_access-to-admin-network-share.txt  [T1021.002]  Access To ADMIN$ Network Share
  T1003_access-to-browser-credential-files-by-uncommon-applications.txt  [T1003]  Access To Browser Credential Files By Uncommon Applications
  T1555.003_access-to-browser-credential-files-by-uncommon-applications.txt  [T1555.003]  Access To Browser Credential Files By Uncommon Applications - Security
  T1003_access-to-chromium-browsers-sensitive-files-by-uncommon-appl.txt  [T1003]  Access To Chromium Browsers Sensitive Files By Uncommon Applications
  T1070.008_access-to-windows-outlook-mail-files-by-uncommon-application.txt  [T1070.008]  Access To Windows Outlook Mail Files By Uncommon Applications
  T1553.004_active-directory-certificate-services-denied-certificate-enr.txt  [T1553.004]  Active Directory Certificate Services Denied Certificate Enrollment Request
  T1018_active-directory-computers-enumeration-with-get-adcomputer.txt  [T1018,T1087.002]  Active Directory Computers Enumeration With Get-AdComputer
  T1069.002_active-directory-group-enumeration-with-get-adgroup.txt  [T1069.002]  Active Directory Group Enumeration With Get-AdGroup
  T1207_add-or-remove-computer-from-dc.txt  [T1207]  Add or Remove Computer from DC
  T1078.001_admin-user-remote-logon.txt  [T1078.001,T1078.002,T1078.003]  Admin User Remote Logon
  T1489_application-uninstalled.txt  [T1489]  Application Uninstalled
  T1123_audio-capture.txt  [T1123]  Audio Capture
  T1217_automated-collection-bookmarks-using-get-childitem-powershel.txt  [T1217]  Automated Collection Bookmarks Using Get-ChildItem PowerShell
  T1078.004_azure-ad-only-single-factor-authentication-required.txt  [T1078.004,T1556.006]  Azure AD Only Single Factor Authentication Required
  T1485_azure-container-registry-created-or-deleted.txt  [T1485,T1489,T1496]  Azure Container Registry Created or Deleted
  T1485_azure-kubernetes-cluster-created-or-deleted.txt  [T1485,T1489,T1496]  Azure Kubernetes Cluster Created or Deleted
  T1557_azure-sign-in-with-axios-user-agent.txt  [T1557]  Azure Sign-In With Axios User Agent
  T1197_bits-client-bitsproxy-dll-loaded-by-uncommon-process.txt  [T1197]  BITS Client BitsProxy DLL Loaded By Uncommon Process
  bash-interactive-shell.txt  []  Bash Interactive Shell
  T1218_bitlockertogo-exe-execution.txt  [T1218]  BitLockerTogo.EXE Execution
  T1685_bitbucket-project-secret-scanning-allowlist-added.txt  [T1685]  Bitbucket Project Secret Scanning Allowlist Added
  T1685_bitbucket-secret-scanning-rule-deleted.txt  [T1685]  Bitbucket Secret Scanning Rule Deleted
  T1105_browser-execution-in-headless-mode.txt  [T1105,T1564.003]  Browser Execution In Headless Mode
  T1082_cmd-shell-output-redirect.txt  [T1082]  CMD Shell Output Redirect
  cve-2023-40477-potential-exploitation-rev-file-creation.txt  []  CVE-2023-40477 Potential Exploitation - .REV File Creation
  T1083_capabilities-discovery-linux.txt  [T1083]  Capabilities Discovery - Linux
  T1546.001_change-default-file-association-via-assoc.txt  [T1546.001]  Change Default File Association Via Assoc
  T1078_cisco-bgp-authentication-failures.txt  [T1078,T1110,T1557]  Cisco BGP Authentication Failures
  T1005_cisco-collect-data.txt  [T1005,T1087.001,T1552.001]  Cisco Collect Data
  T1016_cisco-discovery.txt  [T1016,T1018,T1033,T1049,T1057,T1082,T1083,T1124,T1201]  Cisco Discovery
  T1078_cisco-ldp-authentication-failures.txt  [T1078,T1110,T1557]  Cisco LDP Authentication Failures
  T1074_cisco-stage-data.txt  [T1074,T1105,T1560.001]  Cisco Stage Data
  cleartext-protocol-usage.txt  []  Cleartext Protocol Usage
  cleartext-protocol-usage-via-netflow.txt  []  Cleartext Protocol Usage Via Netflow
  T1115_clipboard-collection-of-image-data-with-xclip-tool.txt  [T1115]  Clipboard Collection of Image Data with Xclip Tool
  T1115_clipboard-collection-with-xclip-tool.txt  [T1115]  Clipboard Collection with Xclip Tool
  T1115_clipboard-collection-with-xclip-tool-auditd.txt  [T1115]  Clipboard Collection with Xclip Tool - Auditd
  codeintegrity-unmet-signing-level-requirements-by-file-under.txt  []  CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
  T1036_codepage-modification-via-mode-com.txt  [T1036]  CodePage Modification Via MODE.COM
  command-executed-via-run-dialog-box-registry.txt  []  Command Executed Via Run Dialog Box - Registry
  T1560_compress-archive-cmdlet-execution.txt  [T1560]  Compress-Archive Cmdlet Execution
  T1560_compressed-file-creation-via-tar-exe.txt  [T1560,T1560.001]  Compressed File Creation Via Tar.EXE
  T1560_compressed-file-extraction-via-tar-exe.txt  [T1560,T1560.001]  Compressed File Extraction Via Tar.EXE
  T1090_connection-proxy.txt  [T1090]  Connection Proxy
  T1082_container-residence-discovery-via-proc-virtual-fs.txt  [T1082]  Container Residence Discovery Via Proc Virtual FS
  T1611_container-with-a-hostpath-mount-created.txt  [T1611]  Container With A hostPath Mount Created
  T1136.001_creation-of-a-local-user-account.txt  [T1136.001]  Creation Of A Local User Account
  T1587.001_creation-of-an-executable-by-an-executable.txt  [T1587.001]  Creation of an Executable by an Executable
  T1007_crontab-enumeration.txt  [T1007]  Crontab Enumeration
  T1105_curl-usage-on-linux.txt  [T1105]  Curl Usage on Linux
  T1105_curl-exe-execution.txt  [T1105]  Curl.EXE Execution
  T1485_dd-file-overwrite.txt  [T1485]  DD File Overwrite
  dmp-hdmp-file-creation.txt  []  DMP/HDMP File Creation
  T1078.002_dmsa-link-attributes-modified.txt  [T1078.002,T1098]  DMSA Link Attributes Modified
  T1496_dns-events-related-to-mining-pools.txt  [T1496,T1569.002]  DNS Events Related To Mining Pools
  T1071.001_dns-query-request-by-quickassist-exe.txt  [T1071.001,T1210]  DNS Query Request By QuickAssist.EXE
  T1056_dns-query-request-to-onelaunch-update-service.txt  [T1056]  DNS Query Request To OneLaunch Update Service
  T1567.002_dns-query-to-ufile-io.txt  [T1567.002]  DNS Query To Ufile.io
  T1567.002_dns-query-to-ufile-io-dns-client.txt  [T1567.002]  DNS Query To Ufile.io - DNS Client
  T1560.001_data-compressed.txt  [T1560.001]  Data Compressed
  T1115_data-copied-to-clipboard-via-clip-exe.txt  [T1115]  Data Copied To Clipboard Via Clip.EXE
  T1027_decode-base64-encoded-text.txt  [T1027]  Decode Base64 Encoded Text
  T1027_decode-base64-encoded-text-macos.txt  [T1027]  Decode Base64 Encoded Text -MacOs
  T1498_deployment-deleted-from-kubernetes-cluster.txt  [T1498]  Deployment Deleted From Kubernetes Cluster
  T1083_dirlister-execution.txt  [T1083]  DirLister Execution
  T1070.004_directory-removal-via-rmdir.txt  [T1070.004]  Directory Removal Via Rmdir
  T1124_discovery-of-a-system-time.txt  [T1124]  Discovery of a System Time
  T1082_docker-container-discovery-via-dockerenv-listing.txt  [T1082]  Docker Container Discovery Via Dockerenv Listing
  T1203_download-from-suspicious-tld-blacklist.txt  [T1203,T1204.002,T1566]  Download From Suspicious TLD - Blacklist
  T1203_download-from-suspicious-tld-whitelist.txt  [T1203,T1204.002,T1566]  Download From Suspicious TLD - Whitelist
  T1027.004_dynamic-csharp-compile-artefact.txt  [T1027.004]  Dynamic CSharp Compile Artefact
  T1112_etw-logging-disabled-for-scm.txt  [T1112,T1685]  ETW Logging Disabled For SCM
  T1112_etw-logging-disabled-for-rpcrt4-dll.txt  [T1112,T1685]  ETW Logging Disabled For rpcrt4.dll
  T1528_end-user-consent.txt  [T1528]  End User Consent
  T1012_exports-registry-key-to-a-file.txt  [T1012]  Exports Registry Key To a File
  T1091_external-disk-drive-or-usb-storage-device-was-recognized-by.txt  [T1091,T1200]  External Disk Drive Or USB Storage Device Was Recognized By The System
  T1078.004_failed-authentications-from-countries-you-do-not-operate-out.txt  [T1078.004,T1110]  Failed Authentications From Countries You Do Not Operate Out Of
  T1217_file-and-subfolder-enumeration-via-dir-command.txt  [T1217]  File And SubFolder Enumeration Via Dir Command
  T1070.006_file-creation-date-changed-to-another-year.txt  [T1070.006]  File Creation Date Changed to Another Year
  T1070.004_file-deletion-via-del.txt  [T1070.004]  File Deletion Via Del
  T1222.002_file-or-folder-permissions-change.txt  [T1222.002]  File or Folder Permissions Change
  T1560.001_files-added-to-an-archive-using-rar-exe.txt  [T1560.001]  Files Added To An Archive Using Rar.EXE
  T1016_firewall-configuration-discovery-via-netsh-exe.txt  [T1016]  Firewall Configuration Discovery Via Netsh.EXE
  T1686.003_firewall-rule-modified-in-the-windows-firewall-exception-lis.txt  [T1686.003]  Firewall Rule Modified In The Windows Firewall Exception List
  T1120_fsutil-drive-enumeration.txt  [T1120]  Fsutil Drive Enumeration
  T1056.002_gui-input-capture-macos.txt  [T1056.002]  GUI Input Capture - macOS
  T1553.001_gatekeeper-bypass-via-xattr.txt  [T1553.001]  Gatekeeper Bypass via Xattr
  github-repository-archive-status-changed.txt  []  GitHub Repository Archive Status Changed
  T1567.001_github-repository-pages-site-changed-to-public.txt  [T1567.001]  GitHub Repository Pages Site Changed to Public
  T1078.004_github-new-secret-created.txt  [T1078.004]  Github New Secret Created
  T1685_github-push-protection-bypass-detected.txt  [T1685]  Github Push Protection Bypass Detected
  T1078.004_github-self-hosted-runner-changes-detected.txt  [T1078.004,T1213.003,T1526]  Github Self Hosted Runner Changes Detected
  google-cloud-storage-buckets-enumeration.txt  []  Google Cloud Storage Buckets Enumeration
  T1078_guest-account-enabled-via-sysadminctl.txt  [T1078,T1078.001]  Guest Account Enabled Via Sysadminctl
  T1218.001_hh-exe-execution.txt  [T1218.001]  HH.EXE Execution
  T1566.001_html-file-opened-from-download-folder.txt  [T1566.001,T1598.002]  HTML File Opened From Download Folder
  T1564.001_hidden-files-and-directories.txt  [T1564.001]  Hidden Files and Directories
  host-without-firewall.txt  []  Host Without Firewall
  T1078_huawei-bgp-authentication-failures.txt  [T1078,T1110,T1557]  Huawei BGP Authentication Failures
  import-new-module-via-powershell-commandline.txt  []  Import New Module Via PowerShell CommandLine
  T1218_indirect-command-execution-by-program-compatibility-wizard.txt  [T1218]  Indirect Command Execution By Program Compatibility Wizard
  T1105_insensitive-subfolder-search-via-findstr-exe.txt  [T1105,T1218,T1552.001,T1564.004]  Insensitive Subfolder Search Via Findstr.EXE
  T1553.004_install-root-certificate.txt  [T1553.004]  Install Root Certificate
  T1003_interesting-service-enumeration-via-sc-exe.txt  [T1003]  Interesting Service Enumeration Via Sc.EXE
  jamf-mdm-execution.txt  []  JAMF MDM Execution
  T1127_jscript-compiler-execution.txt  [T1127]  JScript Compiler Execution
  T1078_juniper-bgp-missing-md5.txt  [T1078,T1110,T1557]  Juniper BGP Missing MD5
  T1552.007_kubernetes-secrets-enumeration.txt  [T1552.007]  Kubernetes Secrets Enumeration
  kubernetes-unauthorized-or-unauthenticated-access.txt  []  Kubernetes Unauthorized or Unauthenticated Access
  T1083_linux-capabilities-discovery.txt  [T1083,T1548]  Linux Capabilities Discovery
  T1548_linux-doas-tool-execution.txt  [T1548]  Linux Doas Tool Execution
  T1046_linux-network-service-scanning-auditd.txt  [T1046]  Linux Network Service Scanning - Auditd
  T1046_linux-network-service-scanning-tools-execution.txt  [T1046]  Linux Network Service Scanning Tools Execution
  T1070_linux-package-uninstall.txt  [T1070]  Linux Package Uninstall
  T1018_linux-remote-system-discovery.txt  [T1018]  Linux Remote System Discovery
  T1548_linux-setgid-capability-set-on-a-binary-via-setcap-utility.txt  [T1548,T1554]  Linux Setgid Capability Set on a Binary via Setcap Utility
  T1548_linux-setuid-capability-set-on-a-binary-via-setcap-utility.txt  [T1548,T1554]  Linux Setuid Capability Set on a Binary via Setcap Utility
  T1068_linux-sudo-chroot-execution.txt  [T1068]  Linux Sudo Chroot Execution
  T1486_load-of-rstrtmgr-dll-by-an-uncommon-process.txt  [T1486,T1685]  Load Of RstrtMgr.DLL By An Uncommon Process
  T1033_local-accounts-discovery.txt  [T1033,T1087.001]  Local Accounts Discovery
  T1016_local-firewall-rules-enumeration-via-netfirewallrule-cmdlet.txt  [T1016,T1518.001]  Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
  T1069.001_local-groups-discovery-linux.txt  [T1069.001]  Local Groups Discovery - Linux
  T1069.001_local-groups-reconnaissance-via-wmic-exe.txt  [T1069.001]  Local Groups Reconnaissance Via Wmic.EXE
  T1087.001_local-system-accounts-discovery-linux.txt  [T1087.001]  Local System Accounts Discovery - Linux
  T1087.001_local-system-accounts-discovery-macos.txt  [T1087.001]  Local System Accounts Discovery - MacOs
  T1136.001_local-user-creation.txt  [T1136.001]  Local User Creation
  T1110_mssql-server-failed-logon.txt  [T1110]  MSSQL Server Failed Logon
  T1046_macos-network-service-scanning.txt  [T1046]  MacOS Network Service Scanning
  T1218_malicious-windows-script-components-file-execution-by-taef-d.txt  [T1218]  Malicious Windows Script Components File Execution by TAEF Detection
  T1070.005_maxmpxct-registry-value-changed.txt  [T1070.005]  MaxMpxCt Registry Value Changed
  T1078_measurable-increase-of-successful-authentications.txt  [T1078]  Measurable Increase Of Successful Authentications
  T1204.002_microsoft-excel-add-in-loaded.txt  [T1204.002]  Microsoft Excel Add-In Loaded
  T1204.002_microsoft-word-add-in-loaded.txt  [T1204.002]  Microsoft Word Add-In Loaded
  T1218.007_msiexec-exe-initiated-network-connection-over-http.txt  [T1218.007]  Msiexec.EXE Initiated Network Connection Over HTTP
  T1219.002_mstsc-exe-execution-with-local-rdp-file.txt  [T1219.002]  Mstsc.EXE Execution With Local RDP File
  T1003.003_ntds-dit-created.txt  [T1003.003]  NTDS.DIT Created
  T1550.002_ntlm-logon.txt  [T1550.002]  NTLM Logon
  named-pipe-created-via-mkfifo.txt  []  Named Pipe Created Via Mkfifo
  T1007_net-exe-execution.txt  [T1007,T1018,T1021.002,T1049,T1069.001,T1069.002,T1087.001,T1087.002,T1135,T1201]  Net.EXE Execution
  T1059.001_network-connection-initiated-by-powershell-process.txt  [T1059.001]  Network Connection Initiated By PowerShell Process
  T1567.002_network-connection-initiated-to-mega-nz.txt  [T1567.002]  Network Connection Initiated To Mega.nz
  T1040_network-sniffing-linux.txt  [T1040]  Network Sniffing - Linux
  T1197_new-bits-job-created-via-bitsadmin.txt  [T1197]  New BITS Job Created Via Bitsadmin
  T1197_new-bits-job-created-via-powershell.txt  [T1197]  New BITS Job Created Via PowerShell
  T1053.003_new-cron-file-created.txt  [T1053.003]  New Cron File Created
  new-kind-of-network-nkn-detection.txt  []  New Kind of Network (NKN) Detection
  T1136_new-kubernetes-service-account-created.txt  [T1136]  New Kubernetes Service Account Created
  T1686.001_new-network-acl-entry-added.txt  [T1686.001]  New Network ACL Entry Added
  new-odbc-driver-registered.txt  []  New ODBC Driver Registered
  T1036_new-process-created-via-taskmgr-exe.txt  [T1036]  New Process Created Via Taskmgr.EXE
  T1543.003_new-service-creation-using-powershell.txt  [T1543.003]  New Service Creation Using PowerShell
  T1543.003_new-service-creation-using-sc-exe.txt  [T1543.003]  New Service Creation Using Sc.EXE
  T1686.003_new-windows-firewall-rule-added-via-new-netfirewallrule-cmdl.txt  [T1686.003]  New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
  T1686.003_new-windows-firewall-rule-added-via-new-netfirewallrule-cmdl_2.txt  [T1686.003]  New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
  T1016_nltest-exe-execution.txt  [T1016,T1018,T1482]  Nltest.EXE Execution
  T1558.003_no-suitable-encryption-key-found-for-generating-kerberos-tic.txt  [T1558.003]  No Suitable Encryption Key Found For Generating Kerberos Ticket
  T1059.007_nodejs-execution-of-javascript-file.txt  [T1059.007]  NodeJS Execution of JavaScript File
  T1059.001_non-interactive-powershell-process-spawned.txt  [T1059.001]  Non Interactive PowerShell Process Spawned
  T1083_notepad-password-files-discovery.txt  [T1083]  Notepad Password Files Discovery
  T1082_os-architecture-discovery-via-grep.txt  [T1082]  OS Architecture Discovery Via Grep
  T1566.001_office-macro-file-creation.txt  [T1566.001]  Office Macro File Creation
  T1566.001_office-macro-file-download.txt  [T1566.001]  Office Macro File Download
  okta-password-health-report-query.txt  []  Okta Password Health Report Query
  okta-policy-modified-or-deleted.txt  []  Okta Policy Modified or Deleted
  onelogin-user-account-locked.txt  []  OneLogin User Account Locked
  onelogin-user-assumed-another-user.txt  []  OneLogin User Assumed Another User
  T1550_outgoing-logon-with-new-credentials.txt  [T1550]  Outgoing Logon with New Credentials
  T1137_outlook-task-note-reminder-received.txt  [T1137]  Outlook Task/Note Reminder Received
  T1485_overwriting-the-file-with-dev-zero-or-null.txt  [T1485]  Overwriting the File with Dev Zero or Null
  T1552.004_pfx-file-creation.txt  [T1552.004]  PFX File Creation
  T1018_pua-adidnsdump-execution.txt  [T1018]  PUA - Adidnsdump Execution
  T1588.002_pua-sysinternal-tool-execution-registry.txt  [T1588.002]  PUA - Sysinternal Tool Execution - Registry
  T1201_password-policy-discovery-linux.txt  [T1201]  Password Policy Discovery - Linux
  T1201_password-policy-discovery-with-get-addefaultdomainpasswordpo.txt  [T1201]  Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
  T1560.001_password-protected-compressed-file-extraction-via-7zip.txt  [T1560.001]  Password Protected Compressed File Extraction Via 7Zip
  T1574.001_potential-7za-dll-sideloading.txt  [T1574.001]  Potential 7za.DLL Sideloading
  T1580_potential-bucket-enumeration-on-aws.txt  [T1580,T1619]  Potential Bucket Enumeration on AWS
  T1082_potential-container-discovery-via-inodes-listing.txt  [T1082]  Potential Container Discovery Via Inodes Listing
  T1027_potential-encoded-powershell-patterns-in-commandline.txt  [T1027,T1059.001]  Potential Encoded PowerShell Patterns In CommandLine
  T1588.002_potential-execution-of-sysinternals-tools.txt  [T1588.002]  Potential Execution of Sysinternals Tools
  potential-exploitation-of-cve-2022-21919-or-cve-2021-34484-f.txt  []  Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
  potential-file-override-append-via-set-command.txt  []  Potential File Override/Append Via SET Command
  T1027_potential-powershell-obfuscation-using-alias-cmdlets.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Using Alias Cmdlets
  T1027_potential-powershell-obfuscation-using-character-join.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Using Character Join
  T1218_potential-proxy-execution-via-explorer-exe-from-shell-proces.txt  [T1218]  Potential Proxy Execution Via Explorer.EXE From Shell Process
  T1112_potential-raspberry-robin-registry-set-internet-settings-zon.txt  [T1112]  Potential Raspberry Robin Registry Set Internet Settings ZoneMap
  T1027_potentially-suspicious-long-filename-pattern-linux.txt  [T1027,T1059.004]  Potentially Suspicious Long Filename Pattern - Linux
  T1102_potentially-suspicious-network-connection-to-notion-api.txt  [T1102]  Potentially Suspicious Network Connection To Notion API
  potentially-suspicious-shell-script-creation-in-profile-fold.txt  []  Potentially Suspicious Shell Script Creation in Profile Folder
  T1059.001_powershell-download-via-net-webclient-powershell-classic.txt  [T1059.001,T1105]  PowerShell Download Via Net.WebClient - PowerShell Classic
  powershell-module-file-created.txt  []  PowerShell Module File Created
  T1222_powershell-script-change-permission-via-set-acl-psscript.txt  [T1222]  PowerShell Script Change Permission Via Set-Acl - PsScript
  powershell-script-dropped-via-powershell-exe.txt  []  PowerShell Script Dropped Via PowerShell.EXE
  powershell-script-execution-policy-enabled.txt  []  PowerShell Script Execution Policy Enabled
  T1020_powershell-script-with-file-upload-capabilities.txt  [T1020]  PowerShell Script With File Upload Capabilities
  T1120_powershell-suspicious-win32-pnpentity.txt  [T1120]  Powershell Suspicious Win32_PnPEntity
  T1505.004_previously-installed-iis-module-was-removed.txt  [T1505.004,T1685.001]  Previously Installed IIS Module Was Removed
  T1611_privileged-container-deployed.txt  [T1611]  Privileged Container Deployed
  T1057_process-discovery.txt  [T1057]  Process Discovery
  T1105_process-execution-from-webdav-share.txt  [T1105]  Process Execution From WebDAV Share
  T1489_process-terminated-via-taskkill.txt  [T1489]  Process Terminated Via Taskkill
  T1569.002_psexec-default-named-pipe.txt  [T1569.002]  PsExec Default Named Pipe
  T1569.002_psexec-service-file-creation.txt  [T1569.002]  PsExec Service File Creation
  T1219.002_quickassist-execution.txt  [T1219.002]  QuickAssist Execution
  T1069.003_rbac-permission-enumeration-attempt.txt  [T1069.003,T1087.004]  RBAC Permission Enumeration Attempt
  T1218.009_regasm-exe-execution-without-commandline-flags-or-files.txt  [T1218.009]  RegAsm.EXE Execution Without CommandLine Flags or Files
  T1112_registry-modification-via-regini-exe.txt  [T1112]  Registry Modification Via Regini.EXE
  T1059.003_remote-access-tool-screenconnect-command-execution.txt  [T1059.003]  Remote Access Tool - ScreenConnect Command Execution
  T1059.003_remote-access-tool-screenconnect-file-transfer.txt  [T1059.003]  Remote Access Tool - ScreenConnect File Transfer
  T1059.003_remote-access-tool-screenconnect-remote-command-execution.txt  [T1059.003]  Remote Access Tool - ScreenConnect Remote Command Execution
  T1059.003_remote-access-tool-screenconnect-temporary-file.txt  [T1059.003]  Remote Access Tool - ScreenConnect Temporary File
  T1133_remote-access-tool-team-viewer-session-started-on-linux-host.txt  [T1133]  Remote Access Tool - Team Viewer Session Started On Linux Host
  T1133_remote-access-tool-team-viewer-session-started-on-macos-host.txt  [T1133]  Remote Access Tool - Team Viewer Session Started On MacOS Host
  T1133_remote-access-tool-team-viewer-session-started-on-windows-ho.txt  [T1133]  Remote Access Tool - Team Viewer Session Started On Windows Host
  T1105_remote-file-copy.txt  [T1105]  Remote File Copy
  T1021.006_remote-powershell-session-ps-classic.txt  [T1021.006,T1059.001]  Remote PowerShell Session (PS Classic)
  T1036.003_renamed-powershell-under-powershell-channel.txt  [T1036.003,T1059.001]  Renamed Powershell Under Powershell Channel
  T1491.001_replace-desktop-wallpaper-by-powershell.txt  [T1491.001]  Replace Desktop Wallpaper by Powershell
  T1112_run-once-task-execution-as-configured-in-registry.txt  [T1112]  Run Once Task Execution as Configured in Registry
  T1007_sc-exe-query-execution.txt  [T1007]  SC.EXE Query Execution
  snake-malware-installer-name-indicators.txt  []  SNAKE Malware Installer Name Indicators
  T1053.005_scheduled-task-created-filecreation.txt  [T1053.005]  Scheduled Task Created - FileCreation
  T1053.005_scheduled-task-created-registry.txt  [T1053.005]  Scheduled Task Created - Registry
  T1053.005_scheduled-task-creation-via-schtasks-exe.txt  [T1053.005]  Scheduled Task Creation Via Schtasks.EXE
  T1053.005_scheduled-task-deletion.txt  [T1053.005]  Scheduled Task Deletion
  T1053.002_scheduled-task-job-at.txt  [T1053.002]  Scheduled Task/Job At
  T1113_screen-capture-macos.txt  [T1113]  Screen Capture - macOS
  T1113_screen-capture-with-import-tool.txt  [T1113]  Screen Capture with Import Tool
  T1113_screen-capture-with-xwd.txt  [T1113]  Screen Capture with Xwd
  T1518.001_security-software-discovery-linux.txt  [T1518.001]  Security Software Discovery - Linux
  T1574.011_service-registry-key-read-access-request.txt  [T1574.011]  Service Registry Key Read Access Request
  T1543.002_service-reload-or-start-linux.txt  [T1543.002]  Service Reload or Start - Linux
  T1564.001_set-files-as-system-files-using-attrib-exe.txt  [T1564.001]  Set Files as System Files Using Attrib.EXE
  T1548.001_setuid-and-setgid.txt  [T1548.001]  Setuid and Setgid
  T1018_share-and-session-enumeration-using-net-exe.txt  [T1018]  Share And Session Enumeration Using Net.EXE
  shell-context-menu-command-tampering.txt  []  Shell Context Menu Command Tampering
  T1078.004_sign-ins-by-unknown-devices.txt  [T1078.004]  Sign-ins by Unknown Devices
  T1036.006_space-after-filename-macos.txt  [T1036.006]  Space After Filename - macOS
  T1543.003_special-file-creation-via-mknod-syscall.txt  [T1543.003]  Special File Creation via Mknod Syscall
  T1030_split-a-file-into-pieces.txt  [T1030]  Split A File Into Pieces
  T1030_split-a-file-into-pieces-linux.txt  [T1030]  Split A File Into Pieces - Linux
  T1569.002_start-windows-service-via-net-exe.txt  [T1569.002]  Start Windows Service Via Net.EXE
  T1037.005_startup-item-file-created-macos.txt  [T1037.005]  Startup Item File Created - MacOS
  T1027.003_steganography-extract-files-with-steghide.txt  [T1027.003]  Steganography Extract Files with Steghide
  T1027.003_steganography-hide-files-with-steghide.txt  [T1027.003]  Steganography Hide Files with Steghide
  T1027.003_steganography-hide-zip-information-in-picture-file.txt  [T1027.003]  Steganography Hide Zip Information in Picture File
  T1027.003_steganography-unzip-hidden-information-from-picture-file.txt  [T1027.003]  Steganography Unzip Hidden Information From Picture File
  T1489_stop-windows-service-via-net-exe.txt  [T1489]  Stop Windows Service Via Net.EXE
  T1489_stop-windows-service-via-powershell-stop-service.txt  [T1489]  Stop Windows Service Via PowerShell Stop-Service
  T1489_stop-windows-service-via-sc-exe.txt  [T1489]  Stop Windows Service Via Sc.EXE
  T1047_successful-account-login-via-wmi.txt  [T1047]  Successful Account Login Via WMI
  T1204.002_successful-msix-appx-package-installation.txt  [T1204.002]  Successful MSIX/AppX Package Installation
  T1110.001_suspicious-connection-to-remote-account.txt  [T1110.001]  Suspicious Connection to Remote Account
  T1059.007_suspicious-deno-file-written-from-remote-source.txt  [T1059.007,T1105,T1204]  Suspicious Deno File Written from Remote Source
  T1082_suspicious-execution-of-hostname.txt  [T1082]  Suspicious Execution of Hostname
  T1082_suspicious-execution-of-systeminfo.txt  [T1082]  Suspicious Execution of Systeminfo
  T1217_suspicious-file-access-to-browser-credential-storage.txt  [T1217,T1555.003]  Suspicious File Access to Browser Credential Storage
  T1615_suspicious-gpo-discovery-with-get-gpo.txt  [T1615]  Suspicious GPO Discovery With Get-GPO
  T1069.001_suspicious-get-information-for-smb-share.txt  [T1069.001]  Suspicious Get Information for SMB Share
  T1069.001_suspicious-get-information-for-smb-share-powershell-module.txt  [T1069.001]  Suspicious Get Information for SMB Share - PowerShell Module
  T1069.001_suspicious-get-local-groups-information.txt  [T1069.001]  Suspicious Get Local Groups Information
  T1069.001_suspicious-get-local-groups-information-powershell.txt  [T1069.001]  Suspicious Get Local Groups Information - PowerShell
  T1020_suspicious-inbox-forwarding.txt  [T1020]  Suspicious Inbox Forwarding
  T1553.005_suspicious-mount-diskimage.txt  [T1553.005]  Suspicious Mount-DiskImage
  T1016_suspicious-network-command.txt  [T1016]  Suspicious Network Command
  T1056_suspicious-network-communication-with-ipfs.txt  [T1056]  Suspicious Network Communication With IPFS
  T1033_suspicious-powershell-get-current-user.txt  [T1033]  Suspicious PowerShell Get Current User
  T1057_suspicious-process-discovery-with-get-process.txt  [T1057]  Suspicious Process Discovery With Get-Process
  T1082_suspicious-query-of-machineguid.txt  [T1082]  Suspicious Query of MachineGUID
  T1573_suspicious-ssl-connection.txt  [T1573]  Suspicious SSL Connection
  T1217_suspicious-where-execution.txt  [T1217]  Suspicious Where Execution
  sysinternals-tools-appx-versions-execution.txt  []  Sysinternals Tools AppX Versions Execution
  T1113_system-drawing-dll-load.txt  [T1113]  System Drawing DLL Load
  T1057_system-info-discovery-via-sysinfo-syscall.txt  [T1057,T1082]  System Info Discovery via Sysinfo Syscall
  T1082_system-information-discovery-auditd.txt  [T1082]  System Information Discovery - Auditd
  T1082_system-information-discovery-via-wmic-exe.txt  [T1082]  System Information Discovery Via Wmic.EXE
  T1082_system-information-discovery-via-registry-queries.txt  [T1082]  System Information Discovery via Registry Queries
  T1518.001_system-integrity-protection-sip-enumeration.txt  [T1518.001]  System Integrity Protection (SIP) Enumeration
  T1049_system-network-connections-discovery-linux.txt  [T1049]  System Network Connections Discovery - Linux
  T1049_system-network-connections-discovery-via-net-exe.txt  [T1049]  System Network Connections Discovery Via Net.EXE
  T1033_system-owner-or-user-discovery-linux.txt  [T1033]  System Owner or User Discovery - Linux
  T1048_tap-driver-installation-security.txt  [T1048]  Tap Driver Installation - Security
  T1053.005_task-scheduler-dll-loaded-by-application-located-in-potentia.txt  [T1053.005]  Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
  T1070.004_teamviewer-log-file-deleted.txt  [T1070.004]  TeamViewer Log File Deleted
  T1686.003_the-windows-defender-firewall-service-failed-to-load-group-p.txt  [T1686.003]  The Windows Defender Firewall Service Failed To Load Group Policy
  T1200_usb-device-plugged.txt  [T1200]  USB Device Plugged
  T1552.001_unattend-xml-file-access-attempt.txt  [T1552.001]  Unattend.XML File Access Attempt
  T1070.006_unauthorized-system-time-modification.txt  [T1070.006]  Unauthorized System Time Modification
  T1055.011_uncommon-process-access-rights-for-target-image.txt  [T1055.011]  Uncommon Process Access Rights For Target Image
  T1070.005_unmount-share-via-net-exe.txt  [T1070.005]  Unmount Share Via Net.EXE
  T1059.001_unusually-long-powershell-commandline.txt  [T1059.001]  Unusually Long PowerShell CommandLine
  T1049_use-get-nettcpconnection.txt  [T1049]  Use Get-NetTCPConnection
  T1049_use-get-nettcpconnection-powershell-module.txt  [T1049]  Use Get-NetTCPConnection - PowerShell Module
  T1574.001_use-of-hidden-paths-or-files.txt  [T1574.001]  Use Of Hidden Paths Or Files
  T1070.004_use-of-remove-item-to-delete-file-scriptblock.txt  [T1070.004]  Use Of Remove-Item to Delete File - ScriptBlock
  T1564_virtualbox-driver-installation-or-starting-of-vms.txt  [T1564,T1564.006]  Virtualbox Driver Installation or Starting of VMs
  T1003.002_volume-shadow-copy-mount.txt  [T1003.002]  Volume Shadow Copy Mount
  T1068_vulnerable-driver-load-by-name.txt  [T1068,T1543.003]  Vulnerable Driver Load By Name
  T1047_wmi-module-loaded-by-uncommon-process.txt  [T1047]  WMI Module Loaded By Uncommon Process
  T1048.003_webdav-put-request.txt  [T1048.003]  WebDav Put Request
  T1686.003_windows-defender-firewall-has-been-reset-to-its-default-conf.txt  [T1686.003]  Windows Defender Firewall Has Been Reset To Its Default Configuration
  T1685_windows-defender-submit-sample-feature-disabled.txt  [T1685]  Windows Defender Submit Sample Feature Disabled
  T1685.001_windows-event-auditing-disabled.txt  [T1685.001]  Windows Event Auditing Disabled
  T1686.003_windows-firewall-settings-have-been-changed.txt  [T1686.003]  Windows Firewall Settings Have Been Changed
  T1204.002_windows-msix-package-support-framework-ai-stubs-execution.txt  [T1204.002,T1218,T1553.005]  Windows MSIX Package Support Framework AI_STUBS Execution
  windows-service-terminated-with-error.txt  []  Windows Service Terminated With Error
  T1021.002_windows-share-mount-via-net-exe.txt  [T1021.002]  Windows Share Mount Via Net.EXE
  winget-admin-settings-modification.txt  []  Winget Admin Settings Modification
  T1059.001_bxor-operator-usage-in-powershell-command-line-powershell-cl.txt  [T1059.001]  bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
