_detection-strategies

# Detection Strategies Estrategias de detecção são abordagens de alto nível para identificar técnicas específicas do MITRE ATT&CK em ambientes corporativos. Cada estratégia descreve **o que observar**, **quais fontes de dados utilizar** e **como correlacionar eventos** para detectar comportamentos adversários — independente de ferramenta ou SIEM específico. Diferente de analytics (regras concretas de detecção), as estrategias focam no **raciocínio analítico**: qual hipótese testar, quais indicadores comportamentais monitorar e como reduzir falsos positivos em ambientes reais. --- ## Estrategias por Tática MITRE ATT&CK > [!example]- Mapa de Categorias por Tática > ```mermaid > mindmap > root((Detection Strategies)) > Reconnaissance > Scanning > Phishing for Information > Search Open Sources > Initial Access > Phishing > Exploit Public-Facing App > Valid Accounts > Execution > Command & Scripting > Shared Modules > User Execution > Persistence > Boot/Logon Autostart > Scheduled Tasks > Event Triggered > Privilege Escalation > Process Injection > Exploitation for Priv Esc > Access Token Manipulation > Defense Evasion > Obfuscated Files > Masquerading > Indicator Removal > Credential Access > Brute Force > OS Credential Dumping > Kerberos Attacks > Discovery > System Information > Network Discovery > Account Discovery > Lateral Movement > Remote Services > Lateral Tool Transfer > SMB/Windows Admin Shares > Collection > Data Staging > Screen Capture > Input Capture > Command and Control > Web Protocols > Encrypted Channel > Application Layer Protocol > Exfiltration > Exfil Over C2 Channel > Exfil Over Web Service > Automated Exfiltration > Impact > Data Encrypted for Impact > Service Stop > Inhibit System Recovery > ``` --- ## Todas as Estrategias de Detecção %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Estrategia", mitre-tactic AS "Tática", mitre-id AS "Técnica", join(platforms, ", ") AS "Plataformas" FROM "defenses/detections/detection-strategies" WHERE type = "detection-strategy" AND !contains(file.name, "_") SORT mitre-tactic ASC, title ASC ``` %%   | Estrategia | Tática | Técnica | Plataformas | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- | ------- | ------------------------------------------------ | | [[det0014-detection-of-data-staging-prior-to-exfiltration\|DET0014 - Detection of Data Staging Prior to Exfiltration]] | Collection | DET0014 | Windows | | [[det0047-detect-local-email-collection-via-outlook-data-file-access-and-command-l\|DET0047 - Detect Local Email Collection via Outlook Data File Access and Command Line Tooling]] | Collection | DET0047 | Windows | | [[det0048-detect-remote-email-collection-via-abnormal-login-and-programmatic-acces\|DET0048 - Detect Remote Email Collection via Abnormal Login and Programmatic Access]] | Collection | DET0048 | Windows, Linux, IaaS, SaaS | | [[det0071-detection-of-remote-data-staging-prior-to-exfiltration\|DET0071 - Detection of Remote Data Staging Prior to Exfiltration]] | Collection | DET0071 | IaaS | | [[det0089-behavioral-detection-of-keylogging-activity-across-platforms\|DET0089 - Behavioral Detection of Keylogging Activity Across Platforms]] | Collection | DET0089 | Windows, Linux, macOS | | [[det0102-behavioral-detection-of-input-capture-across-platforms\|DET0102 - Behavioral Detection of Input Capture Across Platforms]] | Collection | DET0102 | Windows, Linux, macOS | | [[det0139-detection-of-credential-harvesting-via-api-hooking\|DET0139 - Detection of Credential Harvesting via API Hooking]] | Collection | DET0139 | Windows | | [[det0186-automated-file-and-api-collection-detection-across-platforms\|DET0186 - Automated File and API Collection Detection Across Platforms]] | Collection | DET0186 | Windows, Linux, macOS, Network | | [[det0197-behavior-chain-platform-aware-detection-strategy-for-t1125-video-capture\|DET0197 - Behavior-chain, platform-aware detection strategy for T1125 Video Capture]] | Collection | DET0197 | Windows, Linux, macOS | | [[det0221-behavioral-detection-strategy-for-t1123-audio-capture-across-windows-lin\|DET0221 - Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS]] | Collection | DET0221 | Windows, Linux, macOS | | [[det0233-detection-strategy-for-network-device-configuration-dump-via-config-repo\|DET0233 - Detection Strategy for Network Device Configuration Dump via Config Repositories]] | Collection | DET0233 | Windows, Network | | [[det0242-suspicious-database-access-and-dump-activity-across-environments-t121300\|DET0242 - Suspicious Database Access and Dump Activity Across Environments (T1213.006)]] | Collection | DET0242 | Windows, IaaS, Network | | [[det0261-detection-of-local-data-staging-prior-to-exfiltration\|DET0261 - Detection of Local Data Staging Prior to Exfiltration]] | Collection | DET0261 | IaaS | | [[det0263-detecting-bulk-or-anomalous-access-to-private-code-repositories-via-saas\|DET0263 - Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms]] | Collection | DET0263 | IaaS, SaaS, Containers | | [[det0268-detect-archiving-via-library-t1560002\|DET0268 - Detect Archiving via Library (T1560.002)]] | Collection | DET0268 | Windows, IaaS, Containers | | [[det0298-detect-archiving-via-utility-t1560001\|DET0298 - Detect Archiving via Utility (T1560.001)]] | Collection | DET0298 | Linux | | [[det0341-clipboard-data-access-with-anomalous-context\|DET0341 - Clipboard Data Access with Anomalous Context]] | Collection | DET0341 | Linux, macOS, IaaS | | [[det0346-detect-screen-capture-via-commands-and-api-calls\|DET0346 - Detect Screen Capture via Commands and API Calls]] | Collection | DET0346 | Linux, macOS | | [[det0358-programmatic-and-excessive-access-to-confluence-documentation\|DET0358 - Programmatic and Excessive Access to Confluence Documentation]] | Collection | DET0358 | IaaS | | [[det0373-detection-strategy-for-addition-of-email-delegate-permissions\|DET0373 - Detection Strategy for Addition of Email Delegate Permissions]] | Collection | DET0373 | Windows, IaaS, SaaS | | [[det0380-detection-of-local-data-collection-prior-to-exfiltration\|DET0380 - Detection of Local Data Collection Prior to Exfiltration]] | Collection | DET0380 | Windows, Linux, macOS | | [[det0410-detection-strategy-for-data-from-network-shared-drive\|DET0410 - Detection Strategy for Data from Network Shared Drive]] | Collection | DET0410 | Windows, IaaS, Network | | [[det0413-abuse-of-information-repositories-for-data-collection\|DET0413 - Abuse of Information Repositories for Data Collection]] | Collection | DET0413 | IaaS, Containers | | [[det0438-detect-archiving-via-custom-method-t1560003\|DET0438 - Detect Archiving via Custom Method (T1560.003)]] | Collection | DET0438 | Windows, Linux, macOS | | [[det0453-detection-strategy-for-snmp-mib-dump-on-network-devices\|DET0453 - Detection Strategy for SNMP (MIB Dump) on Network Devices]] | Collection | DET0453 | Windows, IaaS, Containers, Network | | [[det0476-email-collection-via-local-email-access-and-auto-forwarding-behavior\|DET0476 - Email Collection via Local Email Access and Auto-Forwarding Behavior]] | Collection | DET0476 | IaaS, SaaS, Containers | | [[det0500-detecting-abnormal-sharepoint-data-mining-by-privileged-or-rare-users\|DET0500 - Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users]] | Collection | DET0500 | IaaS | | [[det0507-detect-browser-session-hijacking-via-privilege-handle-access-and-remote-\|DET0507 - Detect browser session hijacking via privilege, handle access, and remote thread into browsers]] | Collection | DET0507 | IaaS, Containers | | [[det0511-detection-of-data-access-and-collection-from-removable-media\|DET0511 - Detection of Data Access and Collection from Removable Media]] | Collection | DET0511 | Windows, Containers | | [[det0521-behavioral-detection-of-spoofed-gui-credential-prompts\|DET0521 - Behavioral Detection of Spoofed GUI Credential Prompts]] | Collection | DET0521 | Windows, macOS, IaaS | | [[det0526-detect-archiving-and-encryption-of-collected-data-t1560\|DET0526 - Detect Archiving and Encryption of Collected Data (T1560)]] | Collection | DET0526 | Windows, IaaS | | [[det0550-detecting-suspicious-access-to-crm-data-in-saas-environments\|DET0550 - Detecting Suspicious Access to CRM Data in SaaS Environments]] | Collection | DET0550 | IaaS, SaaS, Containers | | [[det0567-detecting-unauthorized-collection-from-messaging-applications-in-saas-an\|DET0567 - Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments]] | Collection | DET0567 | IaaS, SaaS, Containers | | [[det0568-detection-strategy-for-input-injection\|DET0568 - Detection Strategy for Input Injection]] | Collection | DET0568 | Windows | | [[det0576-email-forwarding-rule-abuse-detection-across-platforms\|DET0576 - Email Forwarding Rule Abuse Detection Across Platforms]] | Collection | DET0576 | Windows, SaaS, Containers | | [[det0592-detection-strategy-for-data-from-configuration-repository-on-network-dev\|DET0592 - Detection Strategy for Data from Configuration Repository on Network Devices]] | Collection | DET0592 | Windows, IaaS, Network | | [[det0002-behavioral-detection-of-publishsubscribe-protocol-misuse-for-c2\|DET0002 - Behavioral Detection of Publish/Subscribe Protocol Misuse for C2]] | Command and Control | DET0002 | Linux, IaaS, Network | | [[det0011-detecting-junk-data-in-c2-channels-via-behavioral-analysis\|DET0011 - Detecting Junk Data in C2 Channels via Behavioral Analysis]] | Command and Control | DET0011 | IaaS, Containers, Network | | [[det0027-detection-of-web-protocol-based-c2-over-http-https-or-websockets\|DET0027 - Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets]] | Command and Control | DET0027 | Windows, Linux, macOS | | [[det0035-detect-bidirectional-web-service-c2-channels-via-process-network-correla\|DET0035 - Detect Bidirectional Web Service C2 Channels via Process & Network Correlation]] | Command and Control | DET0035 | Windows, IaaS, Containers, Network | | [[det0039-detection-strategy-for-dynamic-resolution-across-os-platforms\|DET0039 - Detection Strategy for Dynamic Resolution across OS Platforms]] | Command and Control | DET0039 | Windows, Linux, macOS | | [[det0053-detect-obfuscated-c2-via-network-traffic-analysis\|DET0053 - Detect Obfuscated C2 via Network Traffic Analysis]] | Command and Control | DET0053 | Windows, Network | | [[det0058-detection-strategy-for-web-service-dead-drop-resolver\|DET0058 - Detection Strategy for Web Service: Dead Drop Resolver]] | Command and Control | DET0058 | Windows, Linux, macOS | | [[det0075-internal-proxy-behavior-via-lateral-host-to-host-c2-relay\|DET0075 - Internal Proxy Behavior via Lateral Host-to-Host C2 Relay]] | Command and Control | DET0075 | Windows, Linux, macOS | | [[det0090-cross-host-c2-via-removable-media-relay\|DET0090 - Cross-host C2 via Removable Media Relay]] | Command and Control | DET0090 | Windows, Linux, Network | | [[det0108-detection-strategy-for-data-encoding-in-c2-channels\|DET0108 - Detection Strategy for Data Encoding in C2 Channels]] | Command and Control | DET0108 | Containers, Network | | [[det0124-behavior-chain-detection-for-t1132001-data-encoding-standard-encoding-ba\|DET0124 - Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi]] | Command and Control | DET0124 | Windows, Linux, macOS | | [[det0133-ide-tunneling-detection-via-process-file-and-network-behaviors\|DET0133 - IDE Tunneling Detection via Process, File, and Network Behaviors]] | Command and Control | DET0133 | Windows, Network | | [[det0135-detection-of-mail-protocol-based-c2-activity-smtp-imap-pop3\|DET0135 - Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3)]] | Command and Control | DET0135 | Network | | [[det0143-detection-strategy-for-encrypted-channel-via-symmetric-cryptography-acro\|DET0143 - Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms]] | Command and Control | DET0143 | Windows, Linux, macOS, Network | | [[det0147-detection-strategy-for-cloud-service-hijacking-via-saas-abuse\|DET0147 - Detection Strategy for Cloud Service Hijacking via SaaS Abuse]] | Command and Control | DET0147 | Windows, IaaS, SaaS | | [[det0163-detection-strategy-for-network-address-translation-traversal\|DET0163 - Detection Strategy for Network Address Translation Traversal]] | Command and Control | DET0163 | Windows, Network | | [[det0196-domain-fronting-behavior-via-mismatched-tls-sni-and-http-host-headers\|DET0196 - Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers]] | Command and Control | DET0196 | IaaS, Network | | [[det0227-detection-strategy-for-non-standard-ports\|DET0227 - Detection Strategy for Non-Standard Ports]] | Command and Control | DET0227 | Windows, Containers, Network | | [[det0228-detect-multi-stage-command-and-control-channels\|DET0228 - Detect Multi-Stage Command and Control Channels]] | Command and Control | DET0228 | IaaS, Containers, Network | | [[det0259-remote-desktop-software-execution-and-beaconing-detection\|DET0259 - Remote Desktop Software Execution and Beaconing Detection]] | Command and Control | DET0259 | Windows, IaaS, Network | | [[det0262-detection-strategy-for-dynamic-resolution-through-dns-calculation\|DET0262 - Detection Strategy for Dynamic Resolution through DNS Calculation]] | Command and Control | DET0262 | Windows, Linux, macOS | | [[det0273-detection-strategy-for-encrypted-channel-across-os-platforms\|DET0273 - Detection Strategy for Encrypted Channel across OS Platforms]] | Command and Control | DET0273 | Windows, Linux, macOS | | [[det0325-external-proxy-behavior-via-outbound-relay-to-intermediate-infrastructur\|DET0325 - External Proxy Behavior via Outbound Relay to Intermediaté Infrastructure]] | Command and Control | DET0325 | Windows, Linux, macOS | | [[det0326-behavior-chain-detection-for-t1132002-data-encoding-non-standard-encodin\|DET0326 - Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi]] | Command and Control | DET0326 | Windows, Linux, macOS | | [[det0359-multi-hop-proxy-behavior-via-relay-node-chaining-onion-routing-and-netwo\|DET0359 - Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling]] | Command and Control | DET0359 | Windows, IaaS, Containers, Network | | [[det0400-behavioral-detection-of-dns-tunneling-and-application-layer-abuse\|DET0400 - Behavioral Detection of DNS Tunneling and Application Layer Abuse]] | Command and Control | DET0400 | Windows, Network | | [[det0411-detection-strategy-for-hide-infrastructure\|DET0411 - Detection Strategy for Hide Infrastructure]] | Command and Control | DET0411 | IaaS | | [[det0416-detection-of-file-transfer-protocol-based-c2-ftp-ftps-smb-tftp\|DET0416 - Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)]] | Command and Control | DET0416 | Windows, Containers, Network | | [[det0419-detection-strategy-for-dynamic-resolution-using-domain-generation-algori\|DET0419 - Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.]] | Command and Control | DET0419 | IaaS | | [[det0425-suspicious-use-of-web-services-for-c2\|DET0425 - Suspicious Use of Web Services for C2]] | Command and Control | DET0425 | IaaS, Network | | [[det0444-detection-of-command-and-control-over-application-layer-protocols\|DET0444 - Detection of Command and Control Over Application Layer Protocols]] | Command and Control | DET0444 | Windows, IaaS, SaaS, Network | | [[det0445-detection-of-proxy-infrastructure-setup-and-traffic-bridging\|DET0445 - Detection of Proxy Infrastructure Setup and Traffic Bridging]] | Command and Control | DET0445 | IaaS, Containers | | [[det0457-detection-of-non-application-layer-protocols-for-c2\|DET0457 - Detection of Non-Application Layer Protocols for C2]] | Command and Control | DET0457 | Network | | [[det0470-detecting-protocol-or-service-impersonation-via-anomalous-tls-http-heade\|DET0470 - Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation]] | Command and Control | DET0470 | IaaS, SaaS | | [[det0485-detection-strategy-for-dynamic-resolution-using-fast-flux-dns\|DET0485 - Detection Strategy for Dynamic Resolution using Fast Flux DNS]] | Command and Control | DET0485 | IaaS | | [[det0496-behavior-chain-detection-for-remote-access-tools-tool-agnostic\|DET0496 - Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)]] | Command and Control | DET0496 | Windows | | [[det0499-behavioral-detection-of-fallback-or-alternate-c2-channels\|DET0499 - Behavioral Detection of Fallback or Alternate C2 Channels]] | Command and Control | DET0499 | Containers | | [[det0538-detection-strategy-for-protocol-tunneling-accross-os-platforms\|DET0538 - Detection Strategy for Protocol Tunneling accross OS platforms.]] | Command and Control | DET0538 | IaaS, Containers, Network | | [[det0543-detection-strategy-for-encrypted-channel-via-asymmetric-cryptography-acr\|DET0543 - Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms]] | Command and Control | DET0543 | Windows, Linux, macOS | | [[det0581-detect-one-way-web-service-command-channels\|DET0581 - Detect One-Way Web Service Command Channels]] | Command and Control | DET0581 | Containers | | [[det0898-detection-of-spoofed-user-agent\|DET0898 - Detection of Spoofed User-Agent]] | Command and Control | DET0898 | Windows | | [[det0001-detect-access-to-cloud-instance-metadata-api-iaas\|DET0001 - Detect Access to Cloud Instance Metadata API (IaaS)]] | Credential Access | DET0001 | IaaS | | [[det0013-detection-of-local-browser-artifact-access-for-reconnaissance\|DET0013 - Detection of Local Browser Artifact Access for Reconnaissance]] | Credential Access | DET0013 | Windows, macOS | | [[det0022-detect-forced-smbwebdav-authentication-via-lure-files-and-outbound-ntlm\|DET0022 - Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM]] | Credential Access | DET0022 | Windows, Containers | | [[det0024-detect-kerberos-ccache-file-theft-or-abuse-t1558005\|DET0024 - Detect Kerberos Ccache File Theft or Abuse (T1558.005)]] | Credential Access | DET0024 | Linux, macOS, Containers | | [[det0030-detect-conditional-access-policy-modification-in-identity-and-cloud-plat\|DET0030 - Detect Conditional Access Policy Modification in Identity and Cloud Platforms]] | Credential Access | DET0030 | IaaS, SaaS, Containers | | [[det0037-detect-suspicious-access-to-browser-credential-stores\|DET0037 - Detect Suspicious Access to Browser Credential Stores]] | Credential Access | DET0037 | Windows, Linux, macOS | | [[det0057-detect-suspicious-access-to-securityd-memory-for-credential-extraction\|DET0057 - Detect Suspicious Access to securityd Memory for Credential Extraction]] | Credential Access | DET0057 | macOS, IaaS, Containers | | [[det0074-detect-use-of-stolen-web-session-cookies-across-platforms\|DET0074 - Detect Use of Stolen Web Session Cookies Across Platforms]] | Credential Access | DET0074 | IaaS, SaaS, Containers | | [[det0085-credential-dumping-from-sam-via-registry-dump-and-local-file-access\|DET0085 - Credential Dumping from SAM via Registry Dump and Local File Access]] | Credential Access | DET0085 | Windows | | [[det0104-detect-modification-of-authentication-processes-across-platforms\|DET0104 - Detect Modification of Authentication Processes Across Platforms]] | Credential Access | DET0104 | Windows, Linux, macOS | | [[det0105-post-credential-dump-password-cracking-detection-via-suspicious-file-acc\|DET0105 - Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools]] | Credential Access | DET0105 | Linux, Containers | | [[det0111-detect-unsecured-credentials-shared-in-chat-messages\|DET0111 - Detect Unsecured Credentials Shared in Chat Messages]] | Credential Access | DET0111 | IaaS | | [[det0113-detect-as-rep-roasting-attempts-t1558004\|DET0113 - Detect AS-REP Roasting Attempts (T1558.004)]] | Credential Access | DET0113 | Windows | | [[det0130-detect-unauthorized-access-to-cloud-secrets-management-stores\|DET0130 - Detect Unauthorized Access to Cloud Secrets Management Stores]] | Credential Access | DET0130 | IaaS, Network | | [[det0134-detect-suspicious-access-to-windows-credential-manager\|DET0134 - Detect Suspicious Access to Windows Credential Manager]] | Credential Access | DET0134 | Windows | | [[det0144-detect-forged-kerberos-golden-tickets-t1558001\|DET0144 - Detect Forged Kerberos Golden Tickets (T1558.001)]] | Credential Access | DET0144 | Windows, Containers | | [[det0148-detection-strategy-for-forged-saml-tokens\|DET0148 - Detection Strategy for Forged SAML Tokens]] | Credential Access | DET0148 | Windows, IaaS, Containers | | [[det0157-detect-kerberoasting-attempts-t1558003\|DET0157 - Detect Kerberoasting Attempts (T1558.003)]] | Credential Access | DET0157 | Windows, IaaS | | [[det0160-detection-strategy-for-multi-factor-authentication-request-generation-t1\|DET0160 - Detection Strategy for Multi-Factor Authentication Request Generation (T1621)]] | Credential Access | DET0160 | IaaS, SaaS | | [[det0171-detection-strategy-for-forged-web-cookies\|DET0171 - Detection Strategy for Forged Web Cookies]] | Credential Access | DET0171 | Containers | | [[det0174-detection-strategy-for-exploitation-for-credential-access\|DET0174 - Detection Strategy for Exploitation for Credential Access]] | Credential Access | DET0174 | Windows, Network | | [[det0190-detect-mfa-modification-or-disabling-across-platforms\|DET0190 - Detect MFA Modification or Disabling Across Platforms]] | Credential Access | DET0190 | IaaS, SaaS, Containers | | [[det0198-detect-abuse-of-container-apis-for-credential-access\|DET0198 - Detect Abuse of Container APIs for Credential Access]] | Credential Access | DET0198 | Linux, IaaS, Containers | | [[det0234-credential-dumping-via-sensitive-memory-and-registry-access-correlation\|DET0234 - Credential Dumping via Sensitive Memory and Registry Access Correlation]] | Credential Access | DET0234 | Windows | | [[det0240-detection-strategy-for-steal-or-forge-authentication-certificates\|DET0240 - Detection Strategy for Steal or Forge Authentication Certificates]] | Credential Access | DET0240 | Windows, Network | | [[det0241-detect-forged-kerberos-silver-tickets-t1558002\|DET0241 - Detect Forged Kerberos Silver Tickets (T1558.002)]] | Credential Access | DET0241 | Windows, Network | | [[det0246-detection-strategy-for-mfa-interception-via-input-capture-and-smart-card\|DET0246 - Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying]] | Credential Access | DET0246 | Windows | | [[det0250-detect-credential-discovery-via-windows-registry-enumeration\|DET0250 - Detect Credential Discovery via Windows Registry Enumeration]] | Credential Access | DET0250 | Windows | | [[det0260-detection-strategy-for-forged-web-credentials\|DET0260 - Detection Strategy for Forged Web Credentials]] | Credential Access | DET0260 | IaaS, SaaS, Containers | | [[det0271-detect-domain-controller-authentication-process-modification-skeleton-ke\|DET0271 - Detect Domain Controller Authentication Process Modification (Skeleton Key)]] | Credential Access | DET0271 | Windows, IaaS, Containers | | [[det0293-detect-hybrid-identity-authentication-process-modification\|DET0293 - Detect Hybrid Identity Authentication Process Modification]] | Credential Access | DET0293 | Windows, Linux, IaaS, Containers | | [[det0296-detect-adversary-in-the-middle-via-network-and-configuration-anomalies\|DET0296 - Detect Adversary-in-the-Middle via Network and Configuration Anomalies]] | Credential Access | DET0296 | Windows, Containers, Network | | [[det0307-detect-access-to-unsecured-credential-files-across-platforms\|DET0307 - Detect Access to Unsecured Credential Files Across Platforms]] | Credential Access | DET0307 | Windows, Linux, macOS, IaaS | | [[det0314-detection-strategy-for-network-sniffing-across-platforms\|DET0314 - Detection Strategy for Network Sniffing Across Platforms]] | Credential Access | DET0314 | Windows, Linux, Containers, Network | | [[det0363-detection-of-credential-dumping-from-lsass-memory-via-access-and-dump-se\|DET0363 - Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence]] | Credential Access | DET0363 | Windows | | [[det0379-detect-evil-twin-wi-fi-access-points-on-network-devices\|DET0379 - Detect Evil Twin Wi-Fi Access Points on Network Devices]] | Credential Access | DET0379 | Windows, Containers, Network | | [[det0381-detect-access-and-decryption-of-group-policy-preference-gpp-credentials-\|DET0381 - Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL]] | Credential Access | DET0381 | Windows, IaaS, Containers | | [[det0385-detect-access-and-parsing-of-bashhistory-files-for-credential-harvesting\|DET0385 - Detect Access and Parsing of .bash_history Files for Credential Harvesting]] | Credential Access | DET0385 | Linux, Containers | | [[det0387-detect-arp-cache-poisoning-across-linux-windows-and-macos\|DET0387 - Detect ARP Cache Poisoning Across Linux, Windows, and macOS]] | Credential Access | DET0387 | Windows, Linux, macOS, Containers, Network | | [[det0396-detect-access-to-macos-keychain-for-credential-theft\|DET0396 - Detect Access to macOS Keychain for Credential Theft]] | Credential Access | DET0396 | macOS, IaaS, Containers | | [[det0412-detect-access-or-search-for-unsecured-credentials-across-platforms\|DET0412 - Detect Access or Search for Unsecured Credentials Across Platforms]] | Credential Access | DET0412 | Windows, Linux, IaaS | | [[det0430-detect-credentials-access-from-password-stores\|DET0430 - Detect Credentials Access from Password Stores]] | Credential Access | DET0430 | Windows, macOS, Containers | | [[det0437-detection-of-lsa-secrets-dumping-via-registry-and-memory-extraction\|DET0437 - Detection of LSA Secrets Dumping via Registry and Memory Extraction]] | Credential Access | DET0437 | Windows, Containers | | [[det0446-credential-access-via-etcpasswd-and-etcshadow-parsing\|DET0446 - Credential Access via /etc/passwd and /etc/shadow Parsing]] | Credential Access | DET0446 | Linux, Containers | | [[det0454-detect-malicious-modification-of-pluggable-authentication-modules-pam\|DET0454 - Detect Malicious Modification of Pluggable Authentication Modules (PAM)]] | Credential Access | DET0454 | Linux, Containers | | [[det0460-credential-stuffing-detection-via-reused-breached-credentials-across-ser\|DET0460 - Credential Stuffing Detection via Reused Breached Credentials Across Services]] | Credential Access | DET0460 | Windows, Linux, macOS | | [[det0462-detect-llmnrnbt-ns-poisoning-and-smb-relay-on-windows\|DET0462 - Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows]] | Credential Access | DET0462 | Windows, Containers, Network | | [[det0463-brute-force-authentication-failures-with-multi-platform-log-correlation\|DET0463 - Brute Force Authentication Failures with Multi-Platform Log Correlation]] | Credential Access | DET0463 | Windows, IaaS, SaaS, Containers | | [[det0468-detect-dhcp-spoofing-across-linux-windows-and-macos\|DET0468 - Detect DHCP Spoofing Across Linux, Windows, and macOS]] | Credential Access | DET0468 | Windows, Linux, macOS, Containers, Network | | [[det0472-detect-malicious-password-filter-dll-registration\|DET0472 - Detect Malicious Password Filter DLL Registration]] | Credential Access | DET0472 | Windows, Containers | | [[det0480-detection-of-credential-harvesting-via-web-portal-modification\|DET0480 - Detection of Credential Harvesting via Web Portal Modification]] | Credential Access | DET0480 | SaaS | | [[det0487-distributed-password-spraying-via-authentication-failures-across-multipl\|DET0487 - Distributed Password Spraying via Authentication Failures Across Multiple Accounts]] | Credential Access | DET0487 | Windows, Linux, IaaS, SaaS | | [[det0509-detection-of-web-session-cookie-theft-via-file-memory-and-network-artifa\|DET0509 - Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts]] | Credential Access | DET0509 | Windows, IaaS, SaaS, Containers, Network | | [[det0513-detection-of-cached-domain-credential-dumping-via-local-hash-cache-acces\|DET0513 - Detection of Cached Domain Credential Dumping via Local Hash Cache Access]] | Credential Access | DET0513 | Windows, Containers | | [[det0515-detection-strategy-for-t1528-steal-application-access-token\|DET0515 - Detection Strategy for T1528 - Steal Application Access Token]] | Credential Access | DET0515 | IaaS, SaaS, Containers | | [[det0522-detect-kerberos-ticket-theft-or-forgery-t1558\|DET0522 - Detect Kerberos Ticket Theft or Forgery (T1558)]] | Credential Access | DET0522 | Windows, Network | | [[det0536-detection-strategy-for-wi-fi-networks\|DET0536 - Detection Strategy for Wi-Fi Networks]] | Credential Access | DET0536 | Windows, macOS, IaaS, Containers, Network | | [[det0549-detect-suspicious-access-to-private-key-files-and-export-attempts-across\|DET0549 - Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms]] | Credential Access | DET0549 | Windows, Linux, macOS | | [[det0551-password-guessing-via-multi-source-authentication-failure-correlation\|DET0551 - Password Guessing via Multi-Source Authentication Failure Correlation]] | Credential Access | DET0551 | Windows, IaaS, SaaS | | [[det0580-detect-network-provider-dll-registration-and-credential-capture\|DET0580 - Detect Network Provider DLL Registration and Credential Capture]] | Credential Access | DET0580 | Windows, Network | | [[det0586-detection-of-ntdsdit-credential-dumping-from-domain-controllers\|DET0586 - Detection of NTDS.dit Credential Dumping from Domain Controllers]] | Credential Access | DET0586 | Windows, Containers | | [[det0589-detect-modification-of-authentication-process-via-reversible-encryption\|DET0589 - Detect Modification of Authentication Process via Reversible Encryption]] | Credential Access | DET0589 | Windows, Containers | | [[det0593-detecting-os-credential-dumping-via-proc-filesystem-access-on-linux\|DET0593 - Detecting OS Credential Dumping via /proc Filesystem Access on Linux]] | Credential Access | DET0593 | Linux, Containers | | [[det0594-detection-of-unauthorized-dcsync-operations-via-replication-api-abuse\|DET0594 - Detection of Unauthorized DCSync Operations via Replication API Abuse]] | Credential Access | DET0594 | Windows, Containers, Network | | [[det0597-detect-unauthorized-access-to-password-managers\|DET0597 - Detect Unauthorized Access to Password Managers]] | Credential Access | DET0597 | Containers | | [[det0005-renamed-legitimate-utility-execution-with-metadata-mismatch-and-suspicio\|DET0005 - Renamed Legitimaté Utility Execution with Metadata Mismatch and Suspicious Path]] | Defense Evasion | DET0005 | Windows, IaaS | | [[det0006-detection-strategy-for-network-boundary-bridging\|DET0006 - Detection Strategy for Network Boundary Bridging]] | Defense Evasion | DET0006 | Windows, Containers, Network | | [[det0008-behavioral-detection-of-remote-cloud-logins-via-valid-accounts\|DET0008 - Behavioral Detection of Remote Cloud Logins via Valid Accounts]] | Defense Evasion | DET0008 | IaaS | | [[det0012-detection-strategy-for-vba-stomping\|DET0012 - Detection Strategy for VBA Stomping]] | Defense Evasion | DET0012 | Linux | | [[det0015-detection-strategy-for-exclusive-control\|DET0015 - Detection Strategy for Exclusive Control]] | Defense Evasion | DET0015 | Windows, Linux, macOS | | [[det0019-detection-strategy-for-stripped-payloads-across-platforms\|DET0019 - Detection Strategy for Stripped Payloads Across Platforms]] | Defense Evasion | DET0019 | Windows, Linux, macOS | | [[det0023-obfuscated-binary-unpacking-detection-via-behavioral-patterns\|DET0023 - Obfuscated Binary Unpacking Detection via Behavioral Patterns]] | Defense Evasion | DET0023 | Windows, Linux, macOS | | [[det0025-detecting-electron-application-abuse-for-proxy-execution\|DET0025 - Detecting Electron Application Abuse for Proxy Execution]] | Defense Evasion | DET0025 | Windows, Linux | | [[det0031-invalid-code-signature-execution-detection-via-metadata-and-behavioral-c\|DET0031 - Invalid Code Signature Execution Detection via Metadata and Behavioral Context]] | Defense Evasion | DET0031 | Windows | | [[det0032-detection-strategy-for-hidden-files-and-directories\|DET0032 - Detection Strategy for Hidden Files and Directories]] | Defense Evasion | DET0032 | Windows, Linux, macOS | | [[det0040-detection-of-persistence-artifact-removal-across-host-platforms\|DET0040 - Detection of Persistence Artifact Removal Across Host Platforms]] | Defense Evasion | DET0040 | Windows, Linux, macOS, Containers | | [[det0042-detection-strategy-for-t1218012-verclsid-abuse\|DET0042 - Detection Strategy for T1218.012 Verclsid Abuse]] | Defense Evasion | DET0042 | Windows, IaaS, Network | | [[det0045-detection-strategy-for-process-argument-spoofing-on-windows\|DET0045 - Detection Strategy for Process Argument Spoofing on Windows]] | Defense Evasion | DET0045 | Windows, Containers | | [[det0046-detection-strategy-for-t1497-virtualizationsandbox-evasion\|DET0046 - Detection Strategy for T1497 Virtualization/Sandbox Evasion]] | Defense Evasion | DET0046 | Windows, Linux, macOS | | [[det0049-behavioral-detection-of-network-history-and-configuration-tampering\|DET0049 - Behavioral Detection of Network History and Configuration Tampering]] | Defense Evasion | DET0049 | Windows, Linux, macOS, Network | | [[det0051-detection-strategy-for-filepath-exclusions\|DET0051 - Detection Strategy for File/Path Exclusions]] | Defense Evasion | DET0051 | Windows, Containers | | [[det0056-detection-strategy-for-subvert-trust-controls-via-install-root-certifica\|DET0056 - Detection Strategy for Subvert Trust Controls via Install Root Certificaté.]] | Defense Evasion | DET0056 | Windows | | [[det0062-detection-strategy-for-disable-or-modify-linux-audit-system\|DET0062 - Detection Strategy for Disable or Modify Linux Audit System]] | Defense Evasion | DET0062 | Linux | | [[det0067-detection-strategy-for-ignore-process-interrupts\|DET0067 - Detection Strategy for Ignore Process Interrupts]] | Defense Evasion | DET0067 | Linux, IaaS, Containers | | [[det0081-detection-of-proxy-execution-via-trusted-signed-binaries-across-platform\|DET0081 - Detection of Proxy Execution via Trusted Signed Binaries Across Platforms]] | Defense Evasion | DET0081 | Windows, Linux, macOS | | [[det0084-detection-strategy-for-modify-cloud-compute-infrastructure-delete-cloud-\|DET0084 - Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance]] | Defense Evasion | DET0084 | IaaS, Containers | | [[det0087-encrypted-or-encoded-file-payload-detection-strategy\|DET0087 - Encrypted or Encoded File Payload Detection Strategy]] | Defense Evasion | DET0087 | Windows, Containers | | [[det0091-detection-strategy-for-dynamic-api-resolution-via-hash-based-function-lo\|DET0091 - Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups]] | Defense Evasion | DET0091 | Windows, Containers | | [[det0098-detect-abuse-of-windows-bits-jobs-for-download-execution-and-persistence\|DET0098 - Detect abuse of Windows BITS Jobs for download, execution and persistence]] | Defense Evasion | DET0098 | Windows | | [[det0099-detection-strategy-for-t1542001-pre-os-boot-system-firmware\|DET0099 - Detection Strategy for T1542.001 Pre-OS Boot: System Firmware]] | Defense Evasion | DET0099 | Windows | | [[det0100-behavioral-detection-of-asynchronous-procedure-call-apc-injection-via-re\|DET0100 - Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing]] | Defense Evasion | DET0100 | Windows | | [[det0103-behavioral-detection-of-network-share-connection-removal-via-cli-and-smb\|DET0103 - Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects]] | Defense Evasion | DET0103 | Windows, Network | | [[det0106-behavioral-detection-of-pe-injection-via-remote-memory-mapping\|DET0106 - Behavioral Detection of PE Injection via Remote Memory Mapping]] | Defense Evasion | DET0106 | Windows | | [[det0109-detection-strategy-for-plist-file-modification-t1647\|DET0109 - Detection Strategy for Plist File Modification (T1647)]] | Defense Evasion | DET0109 | macOS, IaaS | | [[det0116-detection-strategy-for-safe-mode-boot-abuse\|DET0116 - Detection Strategy for Safe Mode Boot Abuse]] | Defense Evasion | DET0116 | Windows, Network | | [[det0117-detection-of-masqueraded-tasks-or-services-with-suspicious-naming-and-ex\|DET0117 - Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution]] | Defense Evasion | DET0117 | Windows | | [[det0119-detection-strategy-for-steganographic-abuse-in-file-script-execution\|DET0119 - Detection Strategy for Steganographic Abuse in File & Script Execution]] | Defense Evasion | DET0119 | Windows, Containers | | [[det0127-behavioral-detection-of-masquerading-across-platforms-via-metadata-and-e\|DET0127 - Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy]] | Defense Evasion | DET0127 | Windows, Linux, macOS, IaaS | | [[det0128-detection-strategy-for-hidden-windows\|DET0128 - Detection Strategy for Hidden Windows]] | Defense Evasion | DET0128 | Windows | | [[det0132-detection-of-mutex-based-execution-guardrails-across-platforms\|DET0132 - Detection of Mutex-Based Execution Guardrails Across Platforms]] | Defense Evasion | DET0132 | Windows, Linux, IaaS, Network | | [[det0136-behavior-chain-detection-for-t1134005-access-token-manipulation-sid-hist\|DET0136 - Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)]] | Defense Evasion | DET0136 | Windows, IaaS, Containers, Network | | [[det0138-detection-of-malicious-code-execution-via-installutilexe\|DET0138 - Detection of Malicious Code Execution via InstallUtil.exe]] | Defense Evasion | DET0138 | Windows | | [[det0140-behavioral-detection-of-malicious-file-deletion\|DET0140 - Behavioral Detection of Malicious File Deletion]] | Defense Evasion | DET0140 | Windows, Linux | | [[det0141-detect-time-based-evasion-via-sleep-timer-loops-and-delayed-execution\|DET0141 - Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution]] | Defense Evasion | DET0141 | Windows | | [[det0145-detection-of-disabled-or-modified-system-firewalls-across-os-platforms\|DET0145 - Detection of Disabled or Modified System Firewalls across OS Platforms]] | Defense Evasion | DET0145 | Windows, Linux, macOS, Network | | [[det0150-detection-strategy-for-file-creation-or-modification-of-boot-files\|DET0150 - Detection Strategy for File Creation or Modification of Boot Files]] | Defense Evasion | DET0150 | Windows, Linux | | [[det0155-detection-strategy-for-modify-cloud-resource-hierarchy\|DET0155 - Detection Strategy for Modify Cloud Resource Hierarchy]] | Defense Evasion | DET0155 | IaaS, Containers | | [[det0158-detection-of-msiexec-abuse-for-local-network-and-dll-execution\|DET0158 - Detection of Msiexec Abuse for Local, Network, and DLL Execution]] | Defense Evasion | DET0158 | Windows, Containers, Network | | [[det0162-socket-filter-trigger-on-host-raw-socket-activity-reverse-connection-t12\|DET0162 - Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002)]] | Defense Evasion | DET0162 | Linux, Network | | [[det0164-detection-strategy-for-overwritten-process-arguments-masquerading\|DET0164 - Detection Strategy for Overwritten Process Arguments Masquerading]] | Defense Evasion | DET0164 | Windows, Linux, IaaS | | [[det0165-behavioral-detection-of-command-history-clearing\|DET0165 - Behavioral Detection of Command History Clearing]] | Defense Evasion | DET0165 | Linux | | [[det0167-firmware-modification-via-flash-tool-or-corrupted-firmware-upload\|DET0167 - Firmware Modification via Flash Tool or Corrupted Firmware Upload]] | Defense Evasion | DET0167 | IaaS, Containers, Network | | [[det0168-virtualizationsandbox-evasion-via-system-checks-across-windows-linux-mac\|DET0168 - Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS]] | Defense Evasion | DET0168 | Windows, Linux, macOS | | [[det0170-detection-strategy-for-modify-system-image-on-network-devices\|DET0170 - Detection Strategy for Modify System Image on Network Devices]] | Defense Evasion | DET0170 | Windows, Linux, IaaS, Containers, Network | | [[det0172-behavior-chain-platform-aware-detection-strategy-for-t1127-trusted-devel\|DET0172 - Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)]] | Defense Evasion | DET0172 | Windows, Network | | [[det0175-detection-strategy-for-t1542004-pre-os-boot-rommonkit\|DET0175 - Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit]] | Defense Evasion | DET0175 | Windows, Linux, IaaS, Containers, Network | | [[det0184-behavioral-detection-of-indicator-removal-across-platforms\|DET0184 - Behavioral Detection of Indicator Removal Across Platforms]] | Defense Evasion | DET0184 | Windows, Linux | | [[det0185-behavioral-detection-strategy-for-use-alternate-authentication-material-\|DET0185 - Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)]] | Defense Evasion | DET0185 | IaaS, SaaS, Containers | | [[det0187-detect-disabled-windows-event-logging\|DET0187 - Detect disabled Windows event logging]] | Defense Evasion | DET0187 | Windows, Network | | [[det0189-detection-strategy-for-indicator-removal-from-tools-post-av-evasion-modi\|DET0189 - Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification]] | Defense Evasion | DET0189 | Windows, Linux, macOS | | [[det0191-behavior-chain-detection-strategy-for-t1127002-trusted-developer-utiliti\|DET0191 - Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows)]] | Defense Evasion | DET0191 | Windows | | [[det0192-detection-strategy-for-email-hiding-rules\|DET0192 - Detection Strategy for Email Hiding Rules]] | Defense Evasion | DET0192 | Windows, IaaS, SaaS | | [[det0194-detection-of-malicious-control-panel-item-execution-via-controlexe-or-ru\|DET0194 - Detection of Malicious Control Panel Item Execution via control.exe or Rundll32]] | Defense Evasion | DET0194 | Windows, Containers | | [[det0200-indirect-command-execution-windows-utility-abuse-behavior-chain\|DET0200 - Indirect Command Execution – Windows utility abuse behavior chain]] | Defense Evasion | DET0200 | Windows, Linux | | [[det0203-detection-strategy-for-ptrace-based-process-injection-on-linux\|DET0203 - Detection Strategy for Ptrace-Based Process Injection on Linux]] | Defense Evasion | DET0203 | Linux | | [[det0205-detect-xsl-script-abuse-via-msxsl-and-wmic\|DET0205 - Detect XSL Script Abuse via msxsl and wmic]] | Defense Evasion | DET0205 | Windows, Containers | | [[det0210-abuse-of-domain-accounts\|DET0210 - Abuse of Domain Accounts]] | Defense Evasion | DET0210 | Windows, Linux, macOS | | [[det0214-detection-strategy-for-embedded-payloads\|DET0214 - Detection Strategy for Embedded Payloads]] | Defense Evasion | DET0214 | Windows | | [[det0217-detection-strategy-for-extra-window-memory-ewm-injection-on-windows\|DET0217 - Detection Strategy for Extra Window Memory (EWM) Injection on Windows]] | Defense Evasion | DET0217 | Windows, Containers | | [[det0222-detecting-mmc-msc-proxy-execution-and-malicious-com-activation\|DET0222 - Detecting MMC (.msc) Proxy Execution and Malicious COM Activation]] | Defense Evasion | DET0222 | Windows, IaaS, Network | | [[det0226-detection-strategy-for-masquerading-via-file-type-modification\|DET0226 - Detection Strategy for Masquerading via File Type Modification]] | Defense Evasion | DET0226 | Windows, IaaS | | [[det0230-detect-suspicious-or-malicious-code-signing-abuse\|DET0230 - Detect Suspicious or Malicious Code Signing Abuse]] | Defense Evasion | DET0230 | Windows | | [[det0235-detecting-steganographic-command-and-control-via-file-network-correlatio\|DET0235 - Detecting Steganographic Command and Control via File + Network Correlation]] | Defense Evasion | DET0235 | Windows, IaaS, Containers, Network | | [[det0239-detection-strategy-for-impair-defenses-indicator-blocking\|DET0239 - Detection Strategy for Impair Defenses Indicator Blocking]] | Defense Evasion | DET0239 | Windows | | [[det0243-detection-strategy-for-weaken-encryption-reduce-key-space-on-network-dev\|DET0243 - Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices]] | Defense Evasion | DET0243 | Windows, Linux, IaaS, Containers, Network | | [[det0247-detection-of-adversary-use-of-unused-or-unsupported-cloud-regions-iaas\|DET0247 - Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)]] | Defense Evasion | DET0247 | Windows, IaaS, Containers, Network | | [[det0249-behavior-chain-detection-for-t1610-deploy-container-across-docker-kubern\|DET0249 - Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes]] | Defense Evasion | DET0249 | Windows, Linux, IaaS, Containers, Network | | [[det0257-detect-mark-of-the-web-motw-bypass-via-container-and-disk-image-files\|DET0257 - Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files]] | Defense Evasion | DET0257 | Windows, Containers | | [[det0266-behavioral-detection-of-mailbox-data-and-log-deletion-for-anti-forensics\|DET0266 - Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics]] | Defense Evasion | DET0266 | SaaS | | [[det0270-detection-of-domain-or-tenant-policy-modifications-via-ad-and-identity-p\|DET0270 - Detection of Domain or Tenant Policy Modifications via AD and Identity Provider]] | Defense Evasion | DET0270 | Windows, IaaS, Containers | | [[det0272-detect-modification-of-network-device-authentication-via-patched-system-\|DET0272 - Detect Modification of Network Device Authentication via Patched System Images]] | Defense Evasion | DET0272 | Windows, Network | | [[det0275-detect-adversary-deobfuscation-or-decoding-of-files-and-payloads\|DET0275 - Detect Adversary Deobfuscation or Decoding of Files and Payloads]] | Defense Evasion | DET0275 | Windows | | [[det0276-detection-strategy-for-rogue-domain-controller-dcshadow-registration-and\|DET0276 - Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse]] | Defense Evasion | DET0276 | Windows, IaaS, Network | | [[det0278-detection-strategy-for-t1542-pre-os-boot\|DET0278 - Detection Strategy for T1542 Pre-OS Boot]] | Defense Evasion | DET0278 | Windows, Linux, macOS | | [[det0282-detection-strategy-for-system-binary-proxy-execution-regsvr32\|DET0282 - Detection Strategy for System Binary Proxy Execution: Regsvr32]] | Defense Evasion | DET0282 | Windows, Containers | | [[det0283-behavior-chain-detection-for-t1134-access-token-manipulation-on-windows\|DET0283 - Behavior-chain detection for T1134 Access Token Manipulation on Windows]] | Defense Evasion | DET0283 | Windows | | [[det0286-detection-strategy-for-impersonation\|DET0286 - Detection Strategy for Impersonation]] | Defense Evasion | DET0286 | Windows | | [[det0288-detect-gatekeeper-bypass-via-quarantine-flag-and-trust-control-manipulat\|DET0288 - Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation]] | Defense Evasion | DET0288 | Linux, macOS, IaaS | | [[det0289-detection-strategy-for-disable-or-modify-cloud-logs\|DET0289 - Detection Strategy for Disable or Modify Cloud Logs]] | Defense Evasion | DET0289 | IaaS | | [[det0291-detection-of-cloud-service-dashboard-usage-via-gui-based-cloud-access\|DET0291 - Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access]] | Defense Evasion | DET0291 | IaaS, Containers | | [[det0292-masquerading-via-space-after-filename-behavioral-detection-strategy\|DET0292 - Masquerading via Space After Filename - Behavioral Detection Strategy]] | Defense Evasion | DET0292 | Linux, macOS, Containers | | [[det0295-behavioral-detection-of-thread-execution-hijacking-via-thread-suspension\|DET0295 - Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching]] | Defense Evasion | DET0295 | Windows | | [[det0299-multi-platform-file-and-directory-permissions-modification-detection-str\|DET0299 - Multi-Platform File and Directory Permissions Modification Detection Strategy]] | Defense Evasion | DET0299 | Windows, Linux, macOS | | [[det0300-detection-strategy-for-reflective-code-loading\|DET0300 - Detection Strategy for Reflective Code Loading]] | Defense Evasion | DET0300 | Windows | | [[det0302-port-knock-ruledaemon-change-first-successful-connect-t1205001\|DET0302 - Port-knock → rule/daemon change → first successful connect (T1205.001)]] | Defense Evasion | DET0302 | Windows, Linux, IaaS, Network | | [[det0305-detection-of-group-policy-modifications-via-ad-object-changes-and-file-a\|DET0305 - Detection of Group Policy Modifications via AD Object Changes and File Activity]] | Defense Evasion | DET0305 | Windows, Containers | | [[det0306-unauthorized-network-firewall-rule-modification-t1562013\|DET0306 - Unauthorized Network Firewall Rule Modification (T1562.013)]] | Defense Evasion | DET0306 | Windows, Linux, IaaS, Network | | [[det0308-detection-strategy-for-modify-cloud-compute-infrastructure\|DET0308 - Detection Strategy for Modify Cloud Compute Infrastructure]] | Defense Evasion | DET0308 | IaaS, Containers | | [[det0311-detection-for-spoofing-security-alerting-across-os-platforms\|DET0311 - Detection for Spoofing Security Alerting across OS Platforms]] | Defense Evasion | DET0311 | Windows, Linux, macOS, IaaS, Containers | | [[det0313-detection-strategy-for-html-smuggling-via-javascript-blob-dynamic-file-d\|DET0313 - Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop]] | Defense Evasion | DET0313 | Windows, Linux, macOS | | [[det0317-detection-strategy-for-impair-defenses-across-platforms\|DET0317 - Detection Strategy for Impair Defenses Across Platforms]] | Defense Evasion | DET0317 | Windows, Linux, macOS, Network | | [[det0321-detection-strategy-for-hidden-virtual-instance-execution\|DET0321 - Detection Strategy for Hidden Virtual Instance Execution]] | Defense Evasion | DET0321 | Containers | | [[det0322-detection-strategy-for-junk-code-obfuscation-with-suspicious-execution-p\|DET0322 - Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns]] | Defense Evasion | DET0322 | Windows | | [[det0323-detection-strategy-for-t1542002-pre-os-boot-component-firmware\|DET0323 - Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware]] | Defense Evasion | DET0323 | Windows, Containers, Network | | [[det0324-detection-strategy-for-polymorphic-code-mutation-and-execution\|DET0324 - Detection Strategy for Polymorphic Code Mutation and Execution]] | Defense Evasion | DET0324 | Windows, Linux, macOS | | [[det0328-detection-of-malicious-profile-installation-via-cmstpexe\|DET0328 - Detection of Malicious Profile Installation via CMSTP.exe]] | Defense Evasion | DET0328 | Windows, IaaS | | [[det0331-detection-strategy-for-listplanting-injection-on-windows\|DET0331 - Detection Strategy for ListPlanting Injection on Windows]] | Defense Evasion | DET0331 | Windows, Containers | | [[det0337-detection-strategy-for-modify-cloud-compute-infrastructure-revert-cloud-\|DET0337 - Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance]] | Defense Evasion | DET0337 | IaaS | | [[det0338-behavioral-detection-strategy-for-use-alternate-authentication-material-\|DET0338 - Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)]] | Defense Evasion | DET0338 | Windows, Linux, macOS | | [[det0339-detection-strategy-for-weaken-encryption-on-network-devices\|DET0339 - Detection Strategy for Weaken Encryption on Network Devices]] | Defense Evasion | DET0339 | Windows, Linux, IaaS, Network | | [[det0342-detection-of-suspicious-compiled-html-file-execution-via-hhexe\|DET0342 - Detection of Suspicious Compiled HTML File Execution via hh.exe]] | Defense Evasion | DET0342 | Windows, Containers | | [[det0344-detection-strategy-for-fileless-storage-via-registry-wmi-and-shared-memo\|DET0344 - Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory]] | Defense Evasion | DET0344 | Windows | | [[det0347-detection-strategy-for-masquerading-via-legitimate-resource-name-or-loca\|DET0347 - Detection Strategy for Masquerading via Legitimaté Resource Name or Location]] | Defense Evasion | DET0347 | Windows, Containers | | [[det0350-detecting-downgrade-attacks\|DET0350 - Detecting Downgrade Attacks]] | Defense Evasion | DET0350 | Windows | | [[det0351-unix-like-file-permission-manipulation-behavioral-chain-detection-strate\|DET0351 - Unix-like File Permission Manipulation Behavioral Chain Detection Strategy]] | Defense Evasion | DET0351 | Linux, macOS, Containers | | [[det0352-detection-strategy-for-t1550003-pass-the-ticket-windows\|DET0352 - Detection Strategy for T1550.003 - Pass the Ticket (Windows)]] | Defense Evasion | DET0352 | Windows | | [[det0353-detection-strategy-for-hidden-user-accounts\|DET0353 - Detection Strategy for Hidden User Accounts]] | Defense Evasion | DET0353 | Windows, Linux, macOS, IaaS | | [[det0361-detecting-net-com-registration-abuse-via-regsvcsregasm\|DET0361 - Detecting .NET COM Registration Abuse via Regsvcs/Regasm]] | Defense Evasion | DET0361 | Windows, IaaS | | [[det0366-detection-strategy-for-double-file-extension-masquerading\|DET0366 - Detection Strategy for Double File Extension Masquerading]] | Defense Evasion | DET0366 | Windows | | [[det0368-hardware-supply-chain-compromise-detection-via-host-status-boot-integrit\|DET0368 - Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks]] | Defense Evasion | DET0368 | IaaS, Containers | | [[det0371-detection-strategy-for-debugger-evasion-t1622\|DET0371 - Detection Strategy for Debugger Evasion (T1622)]] | Defense Evasion | DET0371 | Windows, Containers | | [[det0372-multi-platform-detection-strategy-for-t1678-delay-execution\|DET0372 - Multi-Platform Detection Strategy for T1678 - Delay Execution]] | Defense Evasion | DET0372 | Windows, Linux, macOS | | [[det0377-detection-of-kerneluser-level-rootkit-behavior-across-platforms\|DET0377 - Detection of Kernel/User-Level Rootkit Behavior Across Platforms]] | Defense Evasion | DET0377 | Windows, Linux, IaaS | | [[det0378-behavioral-detection-of-obfuscated-files-or-information\|DET0378 - Behavioral Detection of Obfuscated Files or Information]] | Defense Evasion | DET0378 | Windows | | [[det0382-detection-strategy-for-process-hollowing-on-windows\|DET0382 - Detection Strategy for Process Hollowing on Windows]] | Defense Evasion | DET0382 | Windows, IaaS | | [[det0383-detection-strategy-for-masquerading-via-account-name-similarity\|DET0383 - Detection Strategy for Masquerading via Account Name Similarity]] | Defense Evasion | DET0383 | Windows, IaaS, Containers | | [[det0389-behavioral-detection-of-dll-injection-via-windows-api\|DET0389 - Behavioral Detection of DLL Injection via Windows API]] | Defense Evasion | DET0389 | Windows | | [[det0406-detection-strategy-for-extended-attributes-abuse\|DET0406 - Detection Strategy for Extended Attributes Abuse]] | Defense Evasion | DET0406 | Windows, Linux, macOS, Containers | | [[det0407-detection-of-local-account-abuse-for-initial-access-and-persistence\|DET0407 - Detection of Local Account Abuse for Initial Access and Persistence]] | Defense Evasion | DET0407 | Windows, Linux, macOS, IaaS | | [[det0409-detection-strategy-for-t1550002-pass-the-hash-windows\|DET0409 - Detection Strategy for T1550.002 - Pass the Hash (Windows)]] | Defense Evasion | DET0409 | Windows, IaaS | | [[det0418-windows-dacl-manipulation-behavioral-chain-detection-strategy\|DET0418 - Windows DACL Manipulation Behavioral Chain Detection Strategy]] | Defense Evasion | DET0418 | Windows | | [[det0420-detect-user-activity-based-sandbox-evasion-via-input-artifact-probing\|DET0420 - Detect User Activity Based Sandbox Evasion via Input & Artifact Probing]] | Defense Evasion | DET0420 | Windows | | [[det0423-detection-strategy-for-modify-cloud-compute-infrastructure-create-snapsh\|DET0423 - Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot]] | Defense Evasion | DET0423 | IaaS, Containers | | [[det0424-detection-strategy-for-disable-or-modify-cloud-firewall\|DET0424 - Detection Strategy for Disable or Modify Cloud Firewall]] | Defense Evasion | DET0424 | Windows, IaaS, Containers, Network | | [[det0426-detection-of-direct-volume-access-for-file-system-evasion\|DET0426 - Detection of Direct Volume Access for File System Evasion]] | Defense Evasion | DET0426 | Windows, Linux, Containers | | [[det0428-detection-strategy-for-bind-mounts-on-linux\|DET0428 - Detection Strategy for Bind Mounts on Linux]] | Defense Evasion | DET0428 | Linux, Containers | | [[det0432-detection-strategy-for-ntfs-file-attribute-abuse-adseas\|DET0432 - Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)]] | Defense Evasion | DET0432 | Windows, Containers | | [[det0433-detecting-code-injection-via-mavinjectexe-app-v-injector\|DET0433 - Detecting Code Injection via mavinject.exe (App-V Injector)]] | Defense Evasion | DET0433 | Windows, IaaS, Containers | | [[det0439-detection-of-malware-relocation-via-suspicious-file-movement\|DET0439 - Detection of Malware Relocation via Suspicious File Movement]] | Defense Evasion | DET0439 | Windows, Linux | | [[det0442-detection-strategy-for-subvert-trust-controls-using-sip-and-trust-provid\|DET0442 - Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking.]] | Defense Evasion | DET0442 | Windows, IaaS, Containers | | [[det0443-detection-strategy-for-masquerading-via-breaking-process-trees\|DET0443 - Detection Strategy for Masquerading via Breaking Process Trees]] | Defense Evasion | DET0443 | Windows, IaaS, Containers | | [[det0448-detection-strategy-for-vdso-hijacking-on-linux\|DET0448 - Detection Strategy for VDSO Hijacking on Linux]] | Defense Evasion | DET0448 | Linux, Containers | | [[det0449-detection-strategy-for-modify-cloud-compute-infrastructure-create-cloud-\|DET0449 - Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance]] | Defense Evasion | DET0449 | IaaS, Containers | | [[det0452-detect-subversion-of-trust-controls-via-certificate-registry-and-attribu\|DET0452 - Detect Subversion of Trust Controls via Certificaté, Registry, and Attribute Manipulation]] | Defense Evasion | DET0452 | Windows | | [[det0456-behavior-chain-detection-for-t1134002-create-process-with-token-windows\|DET0456 - Behavior-chain detection for T1134.002 Create Process with Token (Windows)]] | Defense Evasion | DET0456 | Windows | | [[det0458-detection-of-trust-relationship-modifications-in-domain-or-tenant-polici\|DET0458 - Detection of Trust Relationship Modifications in Domain or Tenant Policies]] | Defense Evasion | DET0458 | Windows, IaaS, Containers | | [[det0459-detection-strategy-for-build-image-on-host\|DET0459 - Detection Strategy for Build Image on Host]] | Defense Evasion | DET0459 | Windows, IaaS, Containers | | [[det0461-detection-strategy-for-hidden-file-system-abuse\|DET0461 - Detection Strategy for Hidden File System Abuse]] | Defense Evasion | DET0461 | Windows, Linux, Containers | | [[det0465-detection-of-default-account-abuse-across-platforms\|DET0465 - Detection of Default Account Abuse Across Platforms]] | Defense Evasion | DET0465 | Windows, IaaS, Network | | [[det0466-detection-of-script-based-proxy-execution-via-signed-microsoft-utilities\|DET0466 - Detection of Script-Based Proxy Execution via Signed Microsoft Utilities]] | Defense Evasion | DET0466 | Windows, IaaS, Containers | | [[det0467-detection-strategy-for-tls-callback-injection-via-pe-memory-modification\|DET0467 - Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing]] | Defense Evasion | DET0467 | Windows | | [[det0469-detection-strategy-for-patch-system-image-on-network-devices\|DET0469 - Detection Strategy for Patch System Image on Network Devices]] | Defense Evasion | DET0469 | Windows, IaaS, Containers, Network | | [[det0474-environmental-keying-discovery-to-decryption-behavioral-chain-detection-\|DET0474 - Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy]] | Defense Evasion | DET0474 | Windows | | [[det0475-detection-strategy-for-t1218011-rundll32-abuse\|DET0475 - Detection Strategy for T1218.011 Rundll32 Abuse]] | Defense Evasion | DET0475 | Windows | | [[det0482-behavior-chain-detection-for-t1134001-access-token-manipulation-token-im\|DET0482 - Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows]] | Defense Evasion | DET0482 | Windows, IaaS, Containers | | [[det0486-detecting-odbcconf-proxy-execution-of-malicious-dlls\|DET0486 - Detecting Odbcconf Proxy Execution of Malicious DLLs]] | Defense Evasion | DET0486 | Windows, Containers | | [[det0489-behavior-chain-detection-for-t1134004-access-token-manipulation-parent-p\|DET0489 - Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)]] | Defense Evasion | DET0489 | Windows, Containers | | [[det0492-detection-strategy-for-modify-cloud-compute-infrastructure-modify-cloud-\|DET0492 - Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations]] | Defense Evasion | DET0492 | Windows, IaaS, Containers, Network | | [[det0494-detection-strategy-for-weaken-encryption-disable-crypto-hardware-on-netw\|DET0494 - Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices]] | Defense Evasion | DET0494 | Windows, Linux, IaaS, Containers, Network | | [[det0497-detection-of-impair-defenses-through-disabled-or-modified-tools-across-o\|DET0497 - Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.]] | Defense Evasion | DET0497 | Windows, Linux, macOS | | [[det0498-behaviorchain-detection-for-t1134003-make-and-impersonate-token-windows\|DET0498 - Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows)]] | Defense Evasion | DET0498 | Windows, Containers, Network | | [[det0501-detection-strategy-for-compile-after-delivery-source-code-to-executable-\|DET0501 - Detection Strategy for Compile After Delivery - Source Code to Executable Transformation]] | Defense Evasion | DET0501 | Windows, Containers | | [[det0502-detection-strategy-for-hidden-artifacts-across-platforms\|DET0502 - Detection Strategy for Hidden Artifacts Across Platforms]] | Defense Evasion | DET0502 | Windows, Linux, macOS, Containers | | [[det0505-detection-strategy-for-command-obfuscation\|DET0505 - Detection Strategy for Command Obfuscation]] | Defense Evasion | DET0505 | Windows, Linux | | [[det0506-detecting-mshta-based-proxy-execution-via-suspicious-hta-or-script-invoc\|DET0506 - Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation]] | Defense Evasion | DET0506 | Windows, Containers | | [[det0508-behavioral-detection-of-process-injection-across-platforms\|DET0508 - Behavioral Detection of Process Injection Across Platforms]] | Defense Evasion | DET0508 | Windows, Linux, macOS | | [[det0520-behavioral-detection-of-log-file-clearing-on-linux-and-macos\|DET0520 - Behavioral Detection of Log File Clearing on Linux and macOS]] | Defense Evasion | DET0520 | Linux, macOS | | [[det0523-detect-code-signing-policy-modification-windows-macos\|DET0523 - Detect Code Signing Policy Modification (Windows & macOS)]] | Defense Evasion | DET0523 | Windows, macOS, IaaS, Containers | | [[det0524-traffic-signaling-port-knock-magic-packet-firewall-or-service-activation\|DET0524 - Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205]] | Defense Evasion | DET0524 | Windows, Linux, Containers, Network | | [[det0527-right-to-left-override-masquerading-detection-via-filename-and-execution\|DET0527 - Right-to-Left Override Masquerading Detection via Filename and Execution Context]] | Defense Evasion | DET0527 | Windows, IaaS, Containers | | [[det0528-detecting-remote-script-proxy-execution-via-pubprnvbs\|DET0528 - Detecting Remote Script Proxy Execution via PubPrn.vbs]] | Defense Evasion | DET0528 | Windows | | [[det0532-detection-of-event-log-clearing-on-windows-via-behavioral-chain\|DET0532 - Detection of Event Log Clearing on Windows via Behavioral Chain]] | Defense Evasion | DET0532 | Windows, Network | | [[det0535-detect-abuse-of-vsphere-installation-bundles-vibs-for-persistent-access\|DET0535 - Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access]] | Defense Evasion | DET0535 | Windows, Linux, Containers, Network | | [[det0539-detection-strategy-for-cloud-application-integration\|DET0539 - Detection Strategy for Cloud Application Integration]] | Defense Evasion | DET0539 | IaaS, SaaS | | [[det0541-detection-strategy-for-proc-memory-injection-on-linux\|DET0541 - Detection Strategy for /proc Memory Injection on Linux]] | Defense Evasion | DET0541 | Windows, Linux | | [[det0544-detection-strategy-for-process-doppelgnging-on-windows\|DET0544 - Detection Strategy for Process Doppelgänging on Windows]] | Defense Evasion | DET0544 | Windows | | [[det0546-detection-of-abused-or-compromised-cloud-accounts-for-access-and-persist\|DET0546 - Detection of Abused or Compromised Cloud Accounts for Access and Persistence]] | Defense Evasion | DET0546 | IaaS, SaaS, Containers | | [[det0553-detection-strategy-for-obfuscated-files-or-information-binary-padding\|DET0553 - Detection Strategy for Obfuscated Files or Information: Binary Padding]] | Defense Evasion | DET0553 | Windows, IaaS | | [[det0556-behavior-chain-detection-strategy-for-t1127001-trusted-developer-utiliti\|DET0556 - Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)]] | Defense Evasion | DET0556 | Windows, IaaS, Network | | [[det0560-detection-of-valid-account-abuse-across-platforms\|DET0560 - Detection of Valid Account Abuse Across Platforms]] | Defense Evasion | DET0560 | Windows, Linux, macOS, IaaS, SaaS | | [[det0562-multi-platform-execution-guardrails-environmental-validation-detection-s\|DET0562 - Multi-Platform Execution Guardrails Environmental Validation Detection Strategy]] | Defense Evasion | DET0562 | Windows, Linux, Containers | | [[det0563-detection-strategy-for-impair-defenses-via-impair-command-history-loggin\|DET0563 - Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms.]] | Defense Evasion | DET0563 | Windows, Linux, macOS | | [[det0566-template-injection-detection-windows\|DET0566 - Templaté Injection Detection - Windows]] | Defense Evasion | DET0566 | Windows, Containers | | [[det0569-detection-strategy-for-downgrade-system-image-on-network-devices\|DET0569 - Detection Strategy for Downgrade System Image on Network Devices]] | Defense Evasion | DET0569 | Windows, IaaS, Containers, Network | | [[det0572-suspicious-rolebinding-or-clusterrolebinding-assignment-in-kubernetes\|DET0572 - Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes]] | Defense Evasion | DET0572 | IaaS, Containers | | [[det0582-detection-strategy-for-t1542005-pre-os-boot-tftp-boot\|DET0582 - Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot]] | Defense Evasion | DET0582 | IaaS, Containers, Network | | [[det0584-detection-strategy-for-resource-forking-on-macos\|DET0584 - Detection Strategy for Resource Forking on macOS]] | Defense Evasion | DET0584 | Windows, Linux, macOS, IaaS, Containers | | [[det0585-behavior-chain-detection-strategy-for-t1127003-trusted-developer-utiliti\|DET0585 - Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JámPlus (Windows)]] | Defense Evasion | DET0585 | Windows, Containers | | [[det0591-cross-platform-behavioral-detection-of-file-timestomping-via-metadata-ta\|DET0591 - Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering]] | Defense Evasion | DET0591 | Windows, Linux, macOS, Containers | | [[det0595-detection-strategy-for-exploitation-for-defense-evasion\|DET0595 - Detection Strategy for Exploitation for Defense Evasion]] | Defense Evasion | DET0595 | Windows, Network | | [[det0833-detection-of-code-signing-certificates\|DET0833 - Detection of Code Signing Certificates]] | Defense Evasion | DET0833 | IaaS, Containers | | [[det0840-detection-of-install-digital-certificate\|DET0840 - Detection of Install Digital Certificaté]] | Defense Evasion | DET0840 | Windows, macOS, Network | | [[det0897-detection-of-selective-exclusion\|DET0897 - Detection of Selective Exclusion]] | Defense Evasion | DET0897 | Containers | | [[det0007-detection-of-domain-trust-discovery-via-api-script-and-cli-enumeration\|DET0007 - Detection of Domain Trust Discovery via API, Script, and CLI Enumeration]] | Discovery | DET0007 | Windows, Containers | | [[det0016-security-software-discovery-across-platforms\|DET0016 - Security Software Discovery Across Platforms]] | Discovery | DET0016 | Windows, Linux, macOS, Network | | [[det0034-detection-of-adversarial-process-discovery-behavior\|DET0034 - Detection of Adversarial Process Discovery Behavior]] | Discovery | DET0034 | Windows, Linux, macOS, Containers | | [[det0043-detection-strategy-for-system-location-discovery\|DET0043 - Detection Strategy for System Location Discovery]] | Discovery | DET0043 | Windows, Network | | [[det0055-detection-strategy-for-group-policy-discovery-on-windows\|DET0055 - Detection strategy for Group Policy Discovery on Windows]] | Discovery | DET0055 | Windows, Containers, Network | | [[det0088-backup-software-discovery-via-cli-registry-and-process-inspection-t15180\|DET0088 - Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)]] | Discovery | DET0088 | Windows, IaaS | | [[det0093-behavioral-detection-of-user-discovery-via-local-and-remote-enumeration\|DET0093 - Behavioral Detection of User Discovery via Local and Remote Enumeration]] | Discovery | DET0093 | Windows, IaaS | | [[det0097-detection-of-application-window-enumeration-via-api-or-scripting\|DET0097 - Detection of Application Window Enumeration via API or Scripting]] | Discovery | DET0097 | Windows | | [[det0114-behavioral-detection-of-local-group-enumeration-across-os-platforms\|DET0114 - Behavioral Detection of Local Group Enumeration Across OS Platforms]] | Discovery | DET0114 | Windows, Linux, macOS | | [[det0129-domain-account-enumeration-across-platforms\|DET0129 - Domain Account Enumeration Across Platforms]] | Discovery | DET0129 | Windows, Linux | | [[det0151-behavior-chain-platform-aware-detection-strategy-for-t1124-system-time-d\|DET0151 - Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery]] | Discovery | DET0151 | Windows, Linux, macOS | | [[det0161-password-policy-discovery-cross-platform-behavior-chain-analytics\|DET0161 - Password Policy Discovery – cross-platform behavior-chain analytics]] | Discovery | DET0161 | Windows, Linux, macOS | | [[det0169-detection-strategy-for-cloud-infrastructure-discovery\|DET0169 - Detection Strategy for Cloud Infrastructure Discovery]] | Discovery | DET0169 | IaaS | | [[det0179-behavioral-detection-of-permission-groups-discovery\|DET0179 - Behavioral Detection of Permission Groups Discovery]] | Discovery | DET0179 | Windows, Linux, Network | | [[det0182-behavior-chain-detection-for-t1135-network-share-discovery-across-window\|DET0182 - Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS]] | Discovery | DET0182 | Windows, Linux, macOS, Containers, Network | | [[det0188-local-storage-discovery-via-drive-enumeration-and-filesystem-probing\|DET0188 - Local Storage Discovery via Drive Enumeration and Filesystem Probing]] | Discovery | DET0188 | Windows, Linux, macOS | | [[det0195-behavioral-detection-of-system-network-configuration-discovery\|DET0195 - Behavioral Detection of System Network Configuration Discovery]] | Discovery | DET0195 | Windows, Linux, macOS, Network | | [[det0199-detection-strategy-for-virtual-machine-discovery\|DET0199 - Detection Strategy for Virtual Machine Discovery]] | Discovery | DET0199 | Windows, IaaS | | [[det0209-detection-of-registry-query-for-environmental-discovery\|DET0209 - Detection of Registry Query for Environmental Discovery]] | Discovery | DET0209 | Windows, Network | | [[det0229-enumeration-of-global-address-lists-via-email-account-discovery\|DET0229 - Enumeration of Global Address Lists via Email Account Discovery]] | Discovery | DET0229 | Windows, SaaS, Network | | [[det0251-behavioral-detection-of-cloud-group-enumeration-via-api-and-cli-access\|DET0251 - Behavioral Detection of Cloud Group Enumeration via API and CLI Access]] | Discovery | DET0251 | IaaS, SaaS | | [[det0255-detection-strategy-for-log-enumeration\|DET0255 - Detection Strategy for Log Enumeration]] | Discovery | DET0255 | Windows, Linux, IaaS, Network | | [[det0303-local-account-enumeration-across-host-platforms\|DET0303 - Local Account Enumeration Across Host Platforms]] | Discovery | DET0303 | Windows, Linux, macOS, IaaS, Containers | | [[det0320-detection-of-system-network-connections-discovery-across-platforms\|DET0320 - Detection of System Network Connections Discovery Across Platforms]] | Discovery | DET0320 | Windows, Linux, Network | | [[det0357-behavioral-detection-of-internet-connection-discovery\|DET0357 - Behavioral Detection of Internet Connection Discovery]] | Discovery | DET0357 | Windows, Network | | [[det0360-behavioral-detection-of-domain-group-discovery\|DET0360 - Behavioral Detection of Domain Group Discovery]] | Discovery | DET0360 | Windows | | [[det0370-recursive-enumeration-of-files-and-directories-across-privilege-contexts\|DET0370 - Recursive Enumeration of Files and Directories Across Privilege Contexts]] | Discovery | DET0370 | Windows, Linux | | [[det0376-behavioral-detection-strategy-for-network-service-discovery-across-platf\|DET0376 - Behavioral Detection Strategy for Network Service Discovery Across Platforms]] | Discovery | DET0376 | Windows, Linux, macOS, Containers, Network | | [[det0386-cloud-account-enumeration-via-api-cli-and-scripting-interfaces\|DET0386 - Cloud Account Enumeration via API, CLI, and Scripting Interfaces]] | Discovery | DET0386 | Linux, IaaS | | [[det0392-multi-platform-software-discovery-behavior-chain\|DET0392 - Multi-Platform Software Discovery Behavior Chain]] | Discovery | DET0392 | Windows, Linux, macOS, Containers | | [[det0402-detection-strategy-for-cloud-service-discovery\|DET0402 - Detection Strategy for Cloud Service Discovery]] | Discovery | DET0402 | IaaS, Containers | | [[det0464-behavioral-detection-of-wi-fi-discovery-activity\|DET0464 - Behavioral Detection of Wi-Fi Discovery Activity]] | Discovery | DET0464 | Windows, Linux, macOS, IaaS, Containers, Network | | [[det0483-detection-of-system-service-discovery-commands-across-os-platforms\|DET0483 - Detection of System Service Discovery Commands Across OS Platforms]] | Discovery | DET0483 | Windows, Linux, macOS | | [[det0490-detection-strategy-for-container-and-resource-discovery\|DET0490 - Detection Strategy for Container and Resource Discovery]] | Discovery | DET0490 | Windows, IaaS, Containers, Network | | [[det0491-peripheral-device-enumeration-via-system-utilities-and-api-calls\|DET0491 - Peripheral Device Enumeration via System Utilities and API Calls]] | Discovery | DET0491 | Windows | | [[det0525-system-discovery-via-native-and-remote-utilities\|DET0525 - System Discovery via Native and Remote Utilities]] | Discovery | DET0525 | Windows, Linux, macOS, Network | | [[det0565-detection-strategy-for-system-language-discovery\|DET0565 - Detection Strategy for System Language Discovery]] | Discovery | DET0565 | Windows, Linux, macOS | | [[det0574-detection-strategy-for-remote-system-enumeration-behavior\|DET0574 - Detection Strategy for Remote System Enumeration Behavior]] | Discovery | DET0574 | Windows, Network | | [[det0578-detection-strategy-for-cloud-storage-object-discovery\|DET0578 - Detection Strategy for Cloud Storage Object Discovery]] | Discovery | DET0578 | IaaS | | [[det0579-detection-strategy-for-device-driver-discovery\|DET0579 - Detection Strategy for Device Driver Discovery]] | Discovery | DET0579 | Windows, Containers | | [[det0587-enumeration-of-user-or-account-information-across-platforms\|DET0587 - Enumeration of User or Account Information Across Platforms]] | Discovery | DET0587 | Linux, IaaS | | [[det0018-behavior-chain-platform-aware-detection-strategy-for-t1129-shared-module\|DET0018 - Behavior-chain, platform-aware detection strategy for T1129 Shared Modules]] | Execution | DET0018 | Windows, Linux, macOS, Containers | | [[det0063-cross-platform-behavioral-detection-of-python-execution\|DET0063 - Cross-Platform Behavioral Detection of Python Execution]] | Execution | DET0063 | Windows, Linux, macOS | | [[det0065-detection-strategy-for-container-administration-command-abuse\|DET0065 - Detection Strategy for Container Administration Command Abuse]] | Execution | DET0065 | Windows, Linux, IaaS, Containers, Network | | [[det0066-user-execution-malicious-link-click-suspicious-egress-downloadwrite-foll\|DET0066 - User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)]] | Execution | DET0066 | Containers | | [[det0076-behavioral-detection-of-visual-basic-execution-vbsvbavbscript\|DET0076 - Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)]] | Execution | DET0076 | Windows | | [[det0078-behavioral-detection-of-malicious-cloud-api-scripting\|DET0078 - Behavioral Detection of Malicious Cloud API Scripting]] | Execution | DET0078 | IaaS | | [[det0083-container-cli-and-api-abuse-via-dockerkubernetes-t1059013\|DET0083 - Container CLI and API Abuse via Docker/Kubernetes (T1059.013)]] | Execution | DET0083 | Windows, Linux, IaaS, Containers | | [[det0094-cross-platform-behavioral-detection-of-scheduled-taskjob-abuse\|DET0094 - Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse]] | Execution | DET0094 | Windows, Linux, macOS | | [[det0101-detection-strategy-for-lua-scripting-abuse\|DET0101 - Detection Strategy for Lua Scripting Abuse]] | Execution | DET0101 | Windows, Linux | | [[det0142-behavioral-detection-of-cli-abuse-on-network-devices\|DET0142 - Behavioral Detection of CLI Abuse on Network Devices]] | Execution | DET0142 | Windows, Linux, IaaS, Network | | [[det0202-behavioral-detection-of-windows-command-shell-execution\|DET0202 - Behavioral Detection of Windows Command Shell Execution]] | Execution | DET0202 | Windows | | [[det0206-detection-of-malicious-kubernetes-cronjob-scheduling\|DET0206 - Detection of Malicious Kubernetes CronJob Scheduling]] | Execution | DET0206 | Windows, Linux, IaaS, Containers, Network | | [[det0223-detection-of-adversary-abuse-of-software-deployment-tools\|DET0223 - Detection of Adversary Abuse of Software Deployment Tools]] | Execution | DET0223 | Windows, IaaS | | [[det0224-detect-abuse-of-component-object-model-t1559001\|DET0224 - Detect Abuse of Component Object Model (T1559.001)]] | Execution | DET0224 | Windows, Network | | [[det0231-behavioral-detection-of-systemd-timer-abuse-for-scheduled-execution\|DET0231 - Behavioral Detection of Systemd Timer Abuse for Scheduled Execution]] | Execution | DET0231 | Linux, IaaS | | [[det0248-user-execution-malicious-image-containers-iaas-pullrun-start-anomalous-b\|DET0248 - User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)]] | Execution | DET0248 | Windows, Linux, IaaS, Containers, Network | | [[det0252-user-initiated-malicious-library-installation-via-package-manager-t12040\|DET0252 - User-Initiated Malicious Library Installation via Package Manager (T1204.005)]] | Execution | DET0252 | Windows, Linux | | [[det0264-cross-platform-detection-of-javascript-execution-abuse\|DET0264 - Cross-Platform Detection of JavaScript Execution Abuse]] | Execution | DET0264 | Windows, Linux, macOS, Containers | | [[det0281-detection-strategy-for-compressed-payload-creation-and-execution\|DET0281 - Detection Strategy for Compressed Payload Creation and Execution]] | Execution | DET0281 | Windows | | [[det0287-exploitation-for-client-execution-cross-platform-behavior-chain-browsero\|DET0287 - Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)]] | Execution | DET0287 | Windows, Linux, macOS, IaaS | | [[det0290-cross-platform-detection-of-cron-job-abuse-for-persistence-and-execution\|DET0290 - Cross-Platform Detection of Cron Job Abuse for Persistence and Execution]] | Execution | DET0290 | Linux, macOS, IaaS, Containers | | [[det0294-user-execution-malicious-file-via-downloadopen-spawn-chain-t1204002\|DET0294 - User Execution – Malicious File via download/open → spawn chain (T1204.002)]] | Execution | DET0294 | Windows | | [[det0332-detection-strategy-for-autohotkey-autoit-abuse\|DET0332 - Detection Strategy for AutoHotKey & AutoIT Abuse]] | Execution | DET0332 | Windows, Containers | | [[det0333-cross-platform-detection-of-scheduled-taskjob-abuse-via-at-utility\|DET0333 - Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility]] | Execution | DET0333 | Windows, Linux, macOS | | [[det0335-detect-abuse-of-xpc-services-t1559003\|DET0335 - Detect Abuse of XPC Services (T1559.003)]] | Execution | DET0335 | macOS, IaaS | | [[det0340-user-execution-malicious-copy-paste-browseremail-shell-with-obfuscated-o\|DET0340 - User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004]] | Execution | DET0340 | Windows, Linux | | [[det0364-behavioral-detection-strategy-for-wmi-execution-abuse-on-windows\|DET0364 - Behavioral Detection Strategy for WMI Execution Abuse on Windows]] | Execution | DET0364 | Windows, IaaS, Network | | [[det0374-detection-strategy-for-serverless-execution-t1648\|DET0374 - Detection Strategy for Serverless Execution (T1648)]] | Execution | DET0374 | Linux, IaaS, Containers | | [[det0384-behavioral-detection-of-unix-shell-execution\|DET0384 - Behavioral Detection of Unix Shell Execution]] | Execution | DET0384 | Linux, macOS, Containers | | [[det0390-linux-detection-strategy-for-t1547013-xdg-autostart-entries\|DET0390 - Linux Detection Strategy for T1547.013 - XDG Autostart Entries]] | Execution | DET0390 | Linux, Containers | | [[det0414-detection-of-applescript-based-execution-on-macos\|DET0414 - Detection of AppleScript-Based Execution on macOS]] | Execution | DET0414 | Linux, macOS | | [[det0421-detection-strategy-for-system-services-service-execution\|DET0421 - Detection Strategy for System Services Service Execution]] | Execution | DET0421 | Windows, IaaS, Containers | | [[det0440-detecting-powershell-execution-via-syncappvpublishingservervbs-proxy-abu\|DET0440 - Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse]] | Execution | DET0440 | Windows, IaaS, Containers | | [[det0441-detection-of-suspicious-scheduled-task-creation-and-execution-on-windows\|DET0441 - Detection of Suspicious Scheduled Task Creation and Execution on Windows]] | Execution | DET0441 | Windows, Containers | | [[det0455-abuse-of-powershell-for-arbitrary-execution\|DET0455 - Abuse of PowerShell for Arbitrary Execution]] | Execution | DET0455 | Windows | | [[det0478-user-execution-multi-surface-behavior-chain-documentslinks-helperunpacke\|DET0478 - User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)]] | Execution | DET0478 | Windows, Containers, Network | | [[det0493-detect-abuse-of-inter-process-communication-t1559\|DET0493 - Detect Abuse of Inter-Process Commúnication (T1559)]] | Execution | DET0493 | Windows, macOS, Containers | | [[det0504-detect-abuse-of-dynamic-data-exchange-t1559002\|DET0504 - Detect Abuse of Dynamic Data Exchange (T1559.002)]] | Execution | DET0504 | Windows, Containers | | [[det0516-behavioral-detection-of-command-and-scripting-interpreter-abuse\|DET0516 - Behavioral Detection of Command and Scripting Interpreter Abuse]] | Execution | DET0516 | Windows, Linux | | [[det0529-behavioral-detection-of-native-api-invocation-via-unusual-dll-loads-and-\|DET0529 - Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls]] | Execution | DET0529 | Windows | | [[det0545-detection-strategy-for-cloud-administration-command\|DET0545 - Detection Strategy for Cloud Administration Command]] | Execution | DET0545 | Linux, IaaS, Containers, Network | | [[det0558-detection-strategy-for-esxi-hypervisor-cli-abuse\|DET0558 - Detection Strategy for ESXi Hypervisor CLI Abuse]] | Execution | DET0558 | Windows, Linux, Network | | [[det0077-detection-of-exfiltration-over-alternate-network-interfaces\|DET0077 - Detection of Exfiltration Over Alternate Network Interfaces]] | Exfiltration | DET0077 | Windows, Linux, Network | | [[det0123-detection-of-data-exfiltration-via-removable-media\|DET0123 - Detection of Data Exfiltration via Removable Media]] | Exfiltration | DET0123 | Windows, Containers | | [[det0131-behavioral-detection-strategy-for-exfiltration-over-alternative-protocol\|DET0131 - Behavioral Detection Strategy for Exfiltration Over Alternative Protocol]] | Exfiltration | DET0131 | Windows, Network | | [[det0149-detection-of-exfiltration-over-unencrypted-non-c2-protocol\|DET0149 - Detection of Exfiltration Over Unencrypted Non-C2 Protocol]] | Exfiltration | DET0149 | Network | | [[det0153-detection-strategy-for-exfiltration-over-webhook\|DET0153 - Detection Strategy for Exfiltration Over Webhook]] | Exfiltration | DET0153 | Windows, IaaS | | [[det0213-detection-strategy-for-data-transfer-size-limits-and-chunked-exfiltratio\|DET0213 - Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration]] | Exfiltration | DET0213 | IaaS, Network | | [[det0220-detection-of-usb-based-data-exfiltration\|DET0220 - Detection of USB-Based Data Exfiltration]] | Exfiltration | DET0220 | Windows, Linux, Network | | [[det0284-detection-strategy-for-exfiltration-to-text-storage-sites\|DET0284 - Detection Strategy for Exfiltration to Text Storage Sites]] | Exfiltration | DET0284 | Windows, IaaS | | [[det0318-detection-strategy-for-exfiltration-to-code-repository\|DET0318 - Detection Strategy for Exfiltration to Code Repository]] | Exfiltration | DET0318 | Windows, IaaS | | [[det0348-detection-strategy-for-exfiltration-over-c2-channel\|DET0348 - Detection Strategy for Exfiltration Over C2 Channel]] | Exfiltration | DET0348 | Windows, Linux, macOS | | [[det0397-automated-exfiltration-detection-strategy\|DET0397 - Automated Exfiltration Detection Strategy]] | Exfiltration | DET0397 | Linux | | [[det0399-detection-strategy-for-scheduled-transfer-and-recurrent-exfiltration-pat\|DET0399 - Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns]] | Exfiltration | DET0399 | Windows, Linux, Network | | [[det0403-detection-strategy-for-traffic-duplication-via-mirroring-in-iaas-and-net\|DET0403 - Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices]] | Exfiltration | DET0403 | Windows, IaaS, Containers, Network | | [[det0484-multi-platform-cloud-storage-exfiltration-behavior-chain\|DET0484 - Multi-Platform Cloud Storage Exfiltration Behavior Chain]] | Exfiltration | DET0484 | Windows, Linux, macOS, IaaS | | [[det0503-behavioral-detection-strategy-for-exfiltration-over-symmetric-encrypted-\|DET0503 - Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol]] | Exfiltration | DET0503 | Windows, Linux, macOS | | [[det0512-detection-of-exfiltration-over-asymmetric-encrypted-non-c2-protocol\|DET0512 - Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol]] | Exfiltration | DET0512 | IaaS, Containers | | [[det0548-detection-strategy-for-exfiltration-over-web-service\|DET0548 - Detection Strategy for Exfiltration Over Web Service]] | Exfiltration | DET0548 | Windows, IaaS, Network | | [[det0554-detection-of-bluetooth-based-data-exfiltration\|DET0554 - Detection of Bluetooth-Based Data Exfiltration]] | Exfiltration | DET0554 | Windows, Containers, Network | | [[det0570-detection-strategy-for-exfiltration-to-cloud-storage\|DET0570 - Detection Strategy for Exfiltration to Cloud Storage]] | Exfiltration | DET0570 | IaaS, Containers, Network | | [[det0573-cross-platform-detection-of-data-transfer-to-cloud-account\|DET0573 - Cross-Platform Detection of Data Transfer to Cloud Account]] | Exfiltration | DET0573 | Windows, Linux, macOS, IaaS, Containers | | [[det0896-detection-of-web-services\|DET0896 - Detection of Web Services]] | Exfiltration | DET0896 | IaaS | | [[det0021-behavioral-detection-for-service-stop-across-platforms\|DET0021 - Behavioral Detection for Service Stop across Platforms]] | Impact | DET0021 | Windows, Linux, macOS | | [[det0028-detect-excessive-or-unauthorized-bandwidth-usage-for-botnet-proxyjacking\|DET0028 - Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes]] | Impact | DET0028 | Windows, Network | | [[det0041-detection-of-lifecycle-policy-modifications-for-triggered-deletion-in-ia\|DET0041 - Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage]] | Impact | DET0041 | IaaS, Containers | | [[det0059-detection-strategy-for-data-manipulation\|DET0059 - Detection Strategy for Data Manipulation]] | Impact | DET0059 | Linux, Containers | | [[det0082-internal-website-and-system-content-defacement-via-ui-or-messaging-modif\|DET0082 - Internal Website and System Content Defacement via UI or Messaging Modifications]] | Impact | DET0082 | Windows, SaaS | | [[det0120-account-access-removal-via-multi-platform-audit-correlation\|DET0120 - Account Access Removal via Multi-Platform Audit Correlation]] | Impact | DET0120 | Windows, Linux, IaaS, SaaS, Containers | | [[det0137-detection-strategy-for-disk-wipe-via-direct-disk-access-and-destructive-\|DET0137 - Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands]] | Impact | DET0137 | Windows, Linux | | [[det0146-detection-of-data-destruction-across-platforms-via-mass-overwrite-and-de\|DET0146 - Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns]] | Impact | DET0146 | Windows, Linux | | [[det0156-detection-strategy-for-resource-hijacking-sms-pumping-via-saas-applicati\|DET0156 - Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs]] | Impact | DET0156 | IaaS, SaaS, Containers | | [[det0173-detection-strategy-for-endpoint-dos-via-service-exhaustion-flood\|DET0173 - Detection Strategy for Endpoint DoS via Service Exhaustion Flood]] | Impact | DET0173 | Windows, Network | | [[det0193-detection-strategy-for-stored-data-manipulation-across-os-platforms\|DET0193 - Detection Strategy for Stored Data Manipulation across OS Platforms.]] | Impact | DET0193 | Windows, Linux | | [[det0208-endpoint-resource-saturation-and-crash-pattern-detection-across-platform\|DET0208 - Endpoint Resource Saturation and Crash Pattern Detection Across Platforms]] | Impact | DET0208 | Windows, Linux | | [[det0215-detection-of-multi-platform-file-encryption-for-impact\|DET0215 - Detection of Multi-Platform File Encryption for Impact]] | Impact | DET0215 | Windows, Linux, macOS | | [[det0232-detection-strategy-for-esxi-administration-command\|DET0232 - Detection Strategy for ESXi Administration Command]] | Impact | DET0232 | Linux | | [[det0238-defacement-via-file-and-web-content-modification-across-platforms\|DET0238 - Defacement via File and Web Content Modification Across Platforms]] | Impact | DET0238 | IaaS | | [[det0254-detection-strategy-of-transmitted-data-manipulation\|DET0254 - Detection Strategy of Transmitted Data Manipulation]] | Impact | DET0254 | Windows, Network | | [[det0267-resource-hijacking-detection-strategy\|DET0267 - Resource Hijacking Detection Strategy]] | Impact | DET0267 | IaaS, Containers | | [[det0297-detection-strategy-for-disk-structure-wipe-via-bootpartition-overwrite\|DET0297 - Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite]] | Impact | DET0297 | Windows, Linux, IaaS | | [[det0304-detection-strategy-for-endpoint-dos-via-application-or-system-exploitati\|DET0304 - Detection Strategy for Endpoint DoS via Application or System Exploitation]] | Impact | DET0304 | Windows, Containers | | [[det0316-detection-strategy-for-disk-content-wipe-via-direct-access-and-overwrite\|DET0316 - Detection Strategy for Disk Content Wipe via Direct Access and Overwrite]] | Impact | DET0316 | Linux | | [[det0329-behavioral-detection-for-t1490-inhibit-system-recovery\|DET0329 - Behavioral Detection for T1490 - Inhibit System Recovery]] | Impact | DET0329 | Windows, Linux | | [[det0343-direct-network-flood-detection-across-iaas-linux-windows-and-macos\|DET0343 - Direct Network Flood Detection across IaaS, Linux, Windows, and macOS]] | Impact | DET0343 | Windows, Linux, macOS, IaaS, Containers, Network | | [[det0355-detection-strategy-for-email-bombing\|DET0355 - Detection Strategy for Email Bombing]] | Impact | DET0355 | Windows, Network | | [[det0356-endpoint-dos-via-os-exhaustion-flood-detection-strategy\|DET0356 - Endpoint DoS via OS Exhaustion Flood Detection Strategy]] | Impact | DET0356 | Windows, Linux, Containers, Network | | [[det0391-detection-strategy-for-runtime-data-manipulation\|DET0391 - Detection Strategy for Runtime Data Manipulation.]] | Impact | DET0391 | Containers | | [[det0408-detection-strategy-for-reflection-amplification-dos-t1498002\|DET0408 - Detection Strategy for Reflection Amplification DoS (T1498.002)]] | Impact | DET0408 | Windows, Containers, Network | | [[det0415-application-exhaustion-flood-detection-across-platforms\|DET0415 - Application Exhaustion Flood Detection Across Platforms]] | Impact | DET0415 | Windows, IaaS, Network | | [[det0495-detection-strategy-for-financial-theft\|DET0495 - Detection Strategy for Financial Theft]] | Impact | DET0495 | Windows, Linux, macOS | | [[det0518-behavioral-detection-of-t1498-network-denial-of-service-across-platforms\|DET0518 - Behavioral Detection of T1498 – Network Denial of Service Across Platforms]] | Impact | DET0518 | Windows, Linux, Network | | [[det0540-multi-platform-behavioral-detection-for-compute-hijacking\|DET0540 - Multi-Platform Behavioral Detection for Compute Hijacking]] | Impact | DET0540 | Windows, IaaS, Containers, Network | | [[det0559-multi-platform-shutdown-or-reboot-detection-via-execution-and-host-statu\|DET0559 - Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events]] | Impact | DET0559 | Windows, Linux, macOS, IaaS | | [[det0590-behavioral-detection-of-external-website-defacement-across-platforms\|DET0590 - Behavioral Detection of External Website Defacement across Platforms]] | Impact | DET0590 | Windows, Linux, IaaS, Containers, Network | | [[det0009-supply-chain-tamper-in-dependenciesdev-tools-managerwriteinstallfirst-ru\|DET0009 - Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)]] | Initial Access | DET0009 | Windows, Linux, macOS | | [[det0069-detect-unauthorized-or-suspicious-hardware-additions-usbthunderboltnetwo\|DET0069 - Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)]] | Initial Access | DET0069 | Windows, Linux, Containers, Network | | [[det0070-detection-strategy-for-phishing-across-platforms\|DET0070 - Detection Strategy for Phishing across platforms.]] | Initial Access | DET0070 | Windows, SaaS | | [[det0080-exploit-public-facing-application-multi-signal-correlation-request-error\|DET0080 - Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)]] | Initial Access | DET0080 | Windows, Linux, Network | | [[det0107-detection-strategy-for-spearphishing-links\|DET0107 - Detection Strategy for Spearphishing Links]] | Initial Access | DET0107 | IaaS | | [[det0115-detection-strategy-for-spearphishing-via-a-service-across-os-platforms\|DET0115 - Detection Strategy for Spearphishing via a Service across OS Platforms]] | Initial Access | DET0115 | IaaS | | [[det0159-detect-remote-access-via-usb-hardware-tinypilot-pikvm\|DET0159 - Detect Remote Access via USB Hardware (TinyPilot, PiKVM)]] | Initial Access | DET0159 | Windows | | [[det0176-drive-by-compromise-behavior-based-multi-platform-detection-strategy-t11\|DET0176 - Drive-by Compromise - Behavior-based, Multi-platform Detection Strategy (T1189)]] | Initial Access | DET0176 | Windows, Linux, macOS, IaaS, Containers | | [[det0236-detection-strategy-for-spearphishing-attachment-across-os-platforms\|DET0236 - Detection Strategy for Spearphishing Attachment across OS Platforms]] | Initial Access | DET0236 | Windows, Linux, macOS, IaaS | | [[det0245-detection-strategy-for-spearphishing-voice-across-os-platforms\|DET0245 - Detection Strategy for Spearphishing Voice across OS platforms]] | Initial Access | DET0245 | Windows, Linux | | [[det0309-compromised-softwareupdate-chain-installerwrite-first-runchild-egresssig\|DET0309 - Compromised software/updaté chain (installer/write → first-run/child → egress/signature anomaly)]] | Initial Access | DET0309 | Windows, Linux, macOS | | [[det0349-detection-strategy-for-content-injection\|DET0349 - Detection Strategy for Content Injection]] | Initial Access | DET0349 | Windows, IaaS, Network | | [[det0405-detection-strategy-for-lnk-icon-smuggling\|DET0405 - Detection Strategy for LNK Icon Smuggling]] | Initial Access | DET0405 | Windows, IaaS | | [[det0431-detection-strategy-for-email-spoofing\|DET0431 - Detection Strategy for Email Spoofing]] | Initial Access | DET0431 | Windows, Linux, macOS | | [[det0488-detect-abuse-of-trusted-relationships-third-party-and-delegated-admin-ac\|DET0488 - Detect abuse of Trusted Relationships (third-party and delegated admin access)]] | Initial Access | DET0488 | IaaS, Containers | | [[det0510-detection-strategy-for-svg-smuggling-with-script-execution-and-delivery-\|DET0510 - Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior]] | Initial Access | DET0510 | IaaS, Containers | | [[det0533-detection-strategy-for-poisoned-pipeline-execution-via-saas-cicd-workflo\|DET0533 - Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows]] | Initial Access | DET0533 | IaaS, SaaS | | [[det0537-behavioral-detection-for-supply-chain-compromise-packageupdate-tamper-in\|DET0537 - Behavioral detection for Supply Chain Compromise (package/updaté tamper → install → first-run)]] | Initial Access | DET0537 | Windows | | [[det0561-detect-malicious-ide-extension-installusage-and-ide-tunneling\|DET0561 - Detect malicious IDE extension install/usage and IDE tunneling]] | Initial Access | DET0561 | IaaS, Containers, Network | | [[det0821-detection-of-spearphishing-service\|DET0821 - Detection of Spearphishing Service]] | Initial Access | DET0821 | Windows, Linux, macOS | | [[det0825-detection-of-drive-by-target\|DET0825 - Detection of Drive-by Target]] | Initial Access | DET0825 | Windows, Linux, macOS | | [[det0836-detection-of-malvertising\|DET0836 - Detection of Malvertising]] | Initial Access | DET0836 | Windows, IaaS, Network | | [[det0865-detection-of-spearphishing-attachment\|DET0865 - Detection of Spearphishing Attachment]] | Initial Access | DET0865 | Windows | | [[det0878-detection-of-spearphishing-link\|DET0878 - Detection of Spearphishing Link]] | Initial Access | DET0878 | IaaS, Containers | | [[det0886-detection-of-spearphishing-voice\|DET0886 - Detection of Spearphishing Voice]] | Initial Access | DET0886 | Containers | | [[det0054-internal-spearphishing-via-trusted-accounts\|DET0054 - Internal Spearphishing via Trusted Accounts]] | Lateral Movement | DET0054 | IaaS | | [[det0079-detection-of-remote-service-session-hijacking\|DET0079 - Detection of Remote Service Session Hijacking]] | Lateral Movement | DET0079 | Windows, Linux, Containers, Network | | [[det0118-exploitation-of-remote-services-multi-platform-lateral-movement-detectio\|DET0118 - Exploitation of Remote Services – multi-platform lateral movement detection]] | Lateral Movement | DET0118 | Windows, IaaS, Network | | [[det0178-behavioral-detection-of-unauthorized-vnc-remote-control-sessions\|DET0178 - Behavioral Detection of Unauthorized VNC Remote Control Sessions]] | Lateral Movement | DET0178 | Windows, Network | | [[det0183-detection-strategy-for-lateral-tool-transfer-across-os-platforms\|DET0183 - Detection Strategy for Lateral Tool Transfer across OS platforms]] | Lateral Movement | DET0183 | Windows, Linux, macOS, IaaS, Containers | | [[det0211-detection-of-direct-vm-console-access-via-cloud-native-methods\|DET0211 - Detection of Direct VM Console Access via Cloud-Native Methods]] | Lateral Movement | DET0211 | IaaS, Containers, Network | | [[det0256-detection-strategy-for-ssh-session-hijacking\|DET0256 - Detection Strategy for SSH Session Hijacking]] | Lateral Movement | DET0256 | Linux, Network | | [[det0269-behavioral-detection-strategy-for-remote-service-logins-and-post-access-\|DET0269 - Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity]] | Lateral Movement | DET0269 | Windows | | [[det0285-multi-event-behavioral-detection-for-dcom-based-remote-code-execution\|DET0285 - Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution]] | Lateral Movement | DET0285 | Windows | | [[det0301-removable-media-execution-chain-detection-via-file-and-process-activity\|DET0301 - Removable Media Execution Chain Detection via File and Process Activity]] | Lateral Movement | DET0301 | Windows | | [[det0327-multi-event-detection-strategy-for-rdp-based-remote-logins-and-post-acce\|DET0327 - Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity]] | Lateral Movement | DET0327 | Windows | | [[det0471-detection-of-tainted-content-written-to-shared-storage\|DET0471 - Detection of Tainted Content Written to Shared Storage]] | Lateral Movement | DET0471 | Windows, IaaS, Containers | | [[det0477-behavioral-detection-of-winrm-based-remote-access\|DET0477 - Behavioral Detection of WinRM-Based Remote Access]] | Lateral Movement | DET0477 | Windows, Network | | [[det0530-multi-event-detection-for-smb-admin-share-lateral-movement\|DET0530 - Multi-Event Detection for SMB Admin Share Lateral Movement]] | Lateral Movement | DET0530 | Windows, IaaS, Containers | | [[det0588-detection-fo-remote-service-session-hijacking-for-rdp\|DET0588 - Detection fo Remote Service Session Hijacking for RDP.]] | Lateral Movement | DET0588 | Windows, Containers | | [[det0596-behavioral-detection-of-remote-ssh-logins-followed-by-post-login-executi\|DET0596 - Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution]] | Lateral Movement | DET0596 | Windows, Linux, IaaS | | [[det0003-t1136002-detection-strategy-domain-account-creation-across-platforms\|DET0003 - T1136.002 Detection Strategy - Domain Account Creation Across Platforms]] | Persistence | DET0003 | Windows, IaaS | | [[det0004-detection-strategy-for-hijack-execution-flow-using-path-interception-by-\|DET0004 - Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.]] | Persistence | DET0004 | Linux, macOS | | [[det0026-windows-detection-strategy-for-t1547012-print-processor-dll-persistence\|DET0026 - Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence]] | Persistence | DET0026 | Windows | | [[det0029-detect-persistence-via-outlook-custom-forms-triggered-by-malicious-email\|DET0029 - Detect Persistence via Outlook Custom Forms Triggered by Malicious Email]] | Persistence | DET0029 | Windows, IaaS | | [[det0036-suspicious-device-registration-via-entra-id-or-mfa-platform\|DET0036 - Suspicious Device Registration via Entra ID or MFA Platform]] | Persistence | DET0036 | IaaS, SaaS, Containers | | [[det0038-detection-strategy-for-hijack-execution-flow-using-executable-installer-\|DET0038 - Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness]] | Persistence | DET0038 | Windows, Containers | | [[det0044-detecting-malicious-browser-extensions-across-platforms\|DET0044 - Detecting Malicious Browser Extensions Across Platforms]] | Persistence | DET0044 | Windows, Linux, macOS | | [[det0050-detect-persistence-via-malicious-office-add-ins\|DET0050 - Detect Persistence via Malicious Office Add-ins]] | Persistence | DET0050 | Windows | | [[det0064-detection-strategy-for-hijack-execution-flow-through-path-interception-b\|DET0064 - Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path]] | Persistence | DET0064 | Windows | | [[det0068-detection-strategy-for-t1505004-malicious-iis-components\|DET0068 - Detection Strategy for T1505.004 - Malicious IIS Components]] | Persistence | DET0068 | Windows | | [[det0072-detect-logon-script-modifications-and-execution\|DET0072 - Detect Logon Script Modifications and Execution]] | Persistence | DET0072 | Windows, IaaS, Containers | | [[det0073-detection-strategy-for-system-services-systemctl\|DET0073 - Detection Strategy for System Services: Systemctl]] | Persistence | DET0073 | Windows, Linux, IaaS, Network | | [[det0092-detection-of-malicious-or-unauthorized-software-extensions\|DET0092 - Detection of Malicious or Unauthorized Software Extensions]] | Persistence | DET0092 | Containers, Network | | [[det0095-detect-persistence-via-malicious-outlook-rules\|DET0095 - Detect Persistence via Malicious Outlook Rules]] | Persistence | DET0095 | IaaS, SaaS | | [[det0096-account-manipulation-behavior-chain-detection\|DET0096 - Account Manipulation Behavior Chain Detection]] | Persistence | DET0096 | Windows, IaaS, Containers | | [[det0112-boot-or-logon-initialization-scripts-detection-strategy\|DET0112 - Boot or Logon Initialization Scripts Detection Strategy]] | Persistence | DET0112 | Windows, Linux, macOS, Containers, Network | | [[det0121-detection-strategy-for-t1547015-login-items-on-macos\|DET0121 - Detection Strategy for T1547.015 – Login Items on macOS]] | Persistence | DET0121 | macOS, Containers | | [[det0122-detect-abuse-of-windows-time-providers-for-persistence\|DET0122 - Detect Abuse of Windows Time Providers for Persistence]] | Persistence | DET0122 | Windows | | [[det0125-detect-persistence-via-reopened-application-plist-modification-macos\|DET0125 - Detect persistence via reopened application plist modification (macOS)]] | Persistence | DET0125 | Linux, macOS | | [[det0126-detection-strategy-for-ssh-key-injection-in-authorized-keys\|DET0126 - Detection Strategy for SSH Key Injection in Authorized Keys]] | Persistence | DET0126 | Linux, IaaS | | [[det0152-detection-strategy-for-hijack-execution-flow-dylib-hijacking\|DET0152 - Detection Strategy for Hijack Execution Flow: Dylib Hijacking]] | Persistence | DET0152 | Windows, macOS, IaaS | | [[det0166-detection-strategy-for-t1505002-transport-agent-abuse-windowslinux\|DET0166 - Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)]] | Persistence | DET0166 | Windows, Linux | | [[det0177-detect-persistence-via-outlook-home-page-exploitation\|DET0177 - Detect Persistence via Outlook Home Page Exploitation]] | Persistence | DET0177 | Windows | | [[det0180-detection-strategy-for-t1547009-shortcut-modification-windows\|DET0180 - Detection Strategy for T1547.009 – Shortcut Modification (Windows)]] | Persistence | DET0180 | Windows, IaaS | | [[det0181-detection-strategy-for-sql-stored-procedures-abuse-via-t1505001\|DET0181 - Detection Strategy for SQL Stored Procedures Abuse via T1505.001]] | Persistence | DET0181 | IaaS | | [[det0201-detection-strategy-for-hijack-execution-flow-for-dlls\|DET0201 - Detection Strategy for Hijack Execution Flow for DLLs]] | Persistence | DET0201 | Windows | | [[det0204-detection-strategy-for-t1547010-port-monitor-dll-persistence-via-spoolsv\|DET0204 - Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)]] | Persistence | DET0204 | Windows | | [[det0207-detect-lsa-authentication-package-persistence-via-registry-and-lsass-dll\|DET0207 - Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load]] | Persistence | DET0207 | Windows, IaaS | | [[det0212-detection-strategy-for-t1505005-terminal-services-dll-modification-windo\|DET0212 - Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)]] | Persistence | DET0212 | Windows | | [[det0216-detection-strategy-for-lcloaddylib-modification-in-mach-o-binaries-on-ma\|DET0216 - Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS]] | Persistence | DET0216 | macOS, IaaS | | [[det0218-detection-strategy-for-hijack-execution-flow-across-os-platforms\|DET0218 - Detection Strategy for Hijack Execution Flow across OS platforms.]] | Persistence | DET0218 | Windows, Linux, macOS | | [[det0225-detect-unauthorized-lsass-driver-persistence-via-lsa-plugin-abuse-window\|DET0225 - Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)]] | Persistence | DET0225 | Windows | | [[det0237-detection-strategy-for-boot-or-logon-initialization-scripts-rc-scripts\|DET0237 - Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts]] | Persistence | DET0237 | Linux | | [[det0244-detection-strategy-for-login-hook-persistence-on-macos\|DET0244 - Detection Strategy for Login Hook Persistence on macOS]] | Persistence | DET0244 | Linux, macOS | | [[det0253-detection-of-systemd-service-creation-or-modification-on-linux\|DET0253 - Detection of Systemd Service Creation or Modification on Linux]] | Persistence | DET0253 | Linux, IaaS | | [[det0265-detection-strategy-for-system-services-launchctl\|DET0265 - Detection Strategy for System Services: Launchctl]] | Persistence | DET0265 | Windows, Linux, macOS, IaaS | | [[det0274-boot-or-logon-autostart-execution-detection-strategy\|DET0274 - Boot or Logon Autostart Execution Detection Strategy]] | Persistence | DET0274 | Windows, Linux, macOS | | [[det0277-detection-strategy-for-role-addition-to-cloud-accounts\|DET0277 - Detection Strategy for Role Addition to Cloud Accounts]] | Persistence | DET0277 | IaaS | | [[det0279-detection-strategy-for-system-services-across-os-platforms\|DET0279 - Detection Strategy for System Services across OS platforms.]] | Persistence | DET0279 | Windows, Linux, macOS, IaaS | | [[det0280-behavior-based-registry-modification-detection-on-windows\|DET0280 - Behavior-Based Registry Modification Detection on Windows]] | Persistence | DET0280 | Windows, Network | | [[det0310-suspicious-addition-to-local-or-domain-groups\|DET0310 - Suspicious Addition to Local or Domain Groups]] | Persistence | DET0310 | Windows, IaaS | | [[det0312-detect-active-setup-persistence-via-stubpath-execution\|DET0312 - Detect Active Setup Persistence via StubPath Execution]] | Persistence | DET0312 | Windows, IaaS, Network | | [[det0315-detect-persistence-via-office-test-registry-dll-injection\|DET0315 - Detect Persistence via Office Test Registry DLL Injection]] | Persistence | DET0315 | Windows, Containers | | [[det0319-detection-strategy-for-t1136003-cloud-account-creation-across-iaas-idp-s\|DET0319 - Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office]] | Persistence | DET0319 | IaaS, SaaS | | [[det0334-detection-strategy-for-t1525-implant-internal-image\|DET0334 - Detection Strategy for T1525 – Implant Internal Image]] | Persistence | DET0334 | IaaS, Containers | | [[det0336-detect-compromise-of-host-software-binaries\|DET0336 - Detect Compromise of Host Software Binaries]] | Persistence | DET0336 | Windows, Linux | | [[det0354-behavior-chain-detection-for-t1133-external-remote-services-across-windo\|DET0354 - Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers]] | Persistence | DET0354 | Windows, Linux, macOS, IaaS, Containers | | [[det0365-detect-registry-and-startup-folder-persistence-windows\|DET0365 - Detect Registry and Startup Folder Persistence (Windows)]] | Persistence | DET0365 | Windows, Network | | [[det0367-detect-network-logon-script-abuse-via-multi-event-correlation-on-windows\|DET0367 - Detect Network Logon Script Abuse via Multi-Event Correlation on Windows]] | Persistence | DET0367 | Windows, Containers, Network | | [[det0394-web-shell-detection-via-server-behavior-and-file-execution-chains\|DET0394 - Web Shell Detection via Server Behavior and File Execution Chains]] | Persistence | DET0394 | Windows, Linux, Containers | | [[det0398-detect-office-startup-based-persistence-via-macros-forms-and-registry-ho\|DET0398 - Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks]] | Persistence | DET0398 | Windows | | [[det0401-detection-strategy-for-launch-daemon-creation-or-modification-macos\|DET0401 - Detection Strategy for Launch Daemon Creation or Modification (macOS)]] | Persistence | DET0401 | macOS, IaaS | | [[det0404-detect-winlogon-helper-dll-abuse-via-registry-and-process-artifacts-on-w\|DET0404 - Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows]] | Persistence | DET0404 | Windows, IaaS | | [[det0417-detection-strategy-for-power-settings-abuse\|DET0417 - Detection Strategy for Power Settings Abuse]] | Persistence | DET0417 | Windows, Linux, IaaS, Containers | | [[det0427-detection-strategy-for-hijack-execution-flow-through-service-registry-pr\|DET0427 - Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.]] | Persistence | DET0427 | Windows, Containers | | [[det0429-detect-modification-of-macos-startup-items\|DET0429 - Detect Modification of macOS Startup Items]] | Persistence | DET0429 | macOS, Containers | | [[det0434-detection-of-launch-agent-creation-or-modification-on-macos\|DET0434 - Detection of Launch Agent Creation or Modification on macOS]] | Persistence | DET0434 | macOS, Containers | | [[det0435-detection-strategy-for-hijack-execution-flow-dynamic-linker-hijacking\|DET0435 - Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking]] | Persistence | DET0435 | Linux, macOS | | [[det0436-detection-strategy-for-hijack-execution-flow-through-services-file-permi\|DET0436 - Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.]] | Persistence | DET0436 | Windows, Containers | | [[det0447-t1136001-detection-strategy-local-account-creation-across-platforms\|DET0447 - T1136.001 Detection Strategy - Local Account Creation Across Platforms]] | Persistence | DET0447 | Windows, Linux, macOS, IaaS, Containers | | [[det0450-detection-strategy-for-kernel-modules-and-extensions-autostart-execution\|DET0450 - Detection Strategy for Kernel Modules and Extensions Autostart Execution]] | Persistence | DET0450 | Windows, Linux, macOS, Containers | | [[det0479-detection-strategy-for-hijack-execution-flow-using-the-windows-corprofil\|DET0479 - Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.]] | Persistence | DET0479 | Windows | | [[det0517-detection-strategy-for-hijack-execution-flow-through-the-appdomainmanage\|DET0517 - Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows.]] | Persistence | DET0517 | Windows | | [[det0519-detect-persistence-via-office-template-macro-injection-or-registry-hijac\|DET0519 - Detect Persistence via Office Templaté Macro Injection or Registry Hijack]] | Persistence | DET0519 | Windows | | [[det0531-detection-strategy-for-additional-cloud-credentials-in-iaasidpsaas\|DET0531 - Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS]] | Persistence | DET0531 | IaaS, SaaS | | [[det0542-registry-and-lsass-monitoring-for-security-support-provider-abuse\|DET0542 - Registry and LSASS Monitoring for Security Support Provider Abuse]] | Persistence | DET0542 | Windows | | [[det0547-detection-strategy-for-t1505-server-software-component\|DET0547 - Detection Strategy for T1505 - Server Software Component]] | Persistence | DET0547 | Windows, Linux | | [[det0552-detection-of-windows-service-creation-or-modification\|DET0552 - Detection of Windows Service Creation or Modification]] | Persistence | DET0552 | Windows, IaaS | | [[det0555-detection-strategy-for-event-triggered-execution-via-emond-on-macos\|DET0555 - Detection Strategy for Event Triggered Execution via emond on macOS]] | Persistence | DET0555 | Windows, Linux, macOS, Containers | | [[det0564-detection-strategy-for-hijack-execution-flow-using-path-interception-by-\|DET0564 - Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking]] | Persistence | DET0564 | Windows, Containers | | [[det0571-detection-of-system-process-creation-or-modification-across-platforms\|DET0571 - Detection of System Process Creation or Modification Across Platforms]] | Persistence | DET0571 | Windows, Linux, macOS | | [[det0577-detection-strategy-for-hijack-execution-flow-through-the-kernelcallbackt\|DET0577 - Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows.]] | Persistence | DET0577 | Windows, Containers | | [[det0583-detection-strategy-for-t1136-create-account-across-platforms\|DET0583 - Detection Strategy for T1136 - Create Account across platforms]] | Persistence | DET0583 | Windows, Linux, macOS, IaaS, SaaS, Containers | | [[det0010-behavioral-detection-of-event-triggered-execution-across-platforms\|DET0010 - Behavioral Detection of Event Triggered Execution Across Platforms]] | Privilege Escalation | DET0010 | Windows, Linux, macOS | | [[det0017-detection-strategy-for-application-shimming-via-sdbinstexe-and-registry-\|DET0017 - Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)]] | Privilege Escalation | DET0017 | Windows, Containers | | [[det0020-detect-shell-configuration-modification-for-persistence-via-event-trigge\|DET0020 - Detect Shell Configuration Modification for Persistence via Event-Triggered Execution]] | Privilege Escalation | DET0020 | Windows, Linux, macOS, Containers | | [[det0033-detection-strategy-for-accessibility-feature-hijacking-via-binary-replac\|DET0033 - Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification]] | Privilege Escalation | DET0033 | Windows | | [[det0052-behavioral-detection-strategy-for-abuse-of-sudo-and-sudo-caching\|DET0052 - Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching]] | Privilege Escalation | DET0052 | Linux, macOS | | [[det0061-detect-default-file-association-hijack-via-registry-execution-correlatio\|DET0061 - Detect Default File Association Hijack via Registry & Execution Correlation on Windows]] | Privilege Escalation | DET0061 | Windows | | [[det0086-detect-wmi-event-subscription-for-persistence-via-wmiprvse-process-and-m\|DET0086 - Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation]] | Privilege Escalation | DET0086 | Windows | | [[det0110-setuidsetgid-privilege-abuse-detection-linuxmacos\|DET0110 - Setuid/Setgid Privilege Abuse Detection (Linux/macOS)]] | Privilege Escalation | DET0110 | Linux, macOS, Containers | | [[det0154-detect-screensaver-based-persistence-via-registry-and-execution-chains\|DET0154 - Detect Screensaver-Based Persistence via Registry and Execution Chains]] | Privilege Escalation | DET0154 | Windows, Containers | | [[det0219-detection-strategy-for-escape-to-host\|DET0219 - Detection Strategy for Escape to Host]] | Privilege Escalation | DET0219 | Linux, Containers, Network | | [[det0258-linux-python-startup-hook-persistence-via-pth-and-customize-files-t15460\|DET0258 - Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018)]] | Privilege Escalation | DET0258 | Linux, Containers | | [[det0330-detection-strategy-for-t1546016-event-triggered-execution-via-installer-\|DET0330 - Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages]] | Privilege Escalation | DET0330 | Windows, Linux, macOS | | [[det0345-detection-strategy-for-abuse-elevation-control-mechanism-t1548\|DET0345 - Detection Strategy for Abuse Elevation Control Mechanism (T1548)]] | Privilege Escalation | DET0345 | Windows, Linux, macOS | | [[det0362-detection-strategy-for-appcert-dlls-persistence-via-registry-injection\|DET0362 - Detection Strategy for AppCert DLLs Persistence via Registry Injection]] | Privilege Escalation | DET0362 | Windows | | [[det0369-detection-strategy-for-event-triggered-execution-via-trap-t1546005\|DET0369 - Detection Strategy for Event Triggered Execution via Trap (T1546.005)]] | Privilege Escalation | DET0369 | Linux, macOS | | [[det0375-detection-strategy-for-t1546017-udev-rules-linux\|DET0375 - Detection Strategy for T1546.017 - Udev Rules (Linux)]] | Privilege Escalation | DET0375 | Linux, IaaS, Containers | | [[det0388-detection-strategy-for-t1548002-bypass-user-account-control-uac\|DET0388 - Detection Strategy for T1548.002 – Bypass User Account Control (UAC)]] | Privilege Escalation | DET0388 | Windows | | [[det0393-detection-strategy-for-temporary-elevated-cloud-access-abuse-t1548005\|DET0393 - Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)]] | Privilege Escalation | DET0393 | IaaS, Containers | | [[det0395-macos-authorizationexecutewithprivileges-elevation-prompt-detection\|DET0395 - macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection]] | Privilege Escalation | DET0395 | Linux, macOS | | [[det0422-detection-strategy-for-ifeo-injection-on-windows\|DET0422 - Detection Strategy for IFEO Injection on Windows]] | Privilege Escalation | DET0422 | Windows | | [[det0451-detection-strategy-for-powershell-profile-persistence-via-profileps1-mod\|DET0451 - Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification]] | Privilege Escalation | DET0451 | Windows, Containers | | [[det0473-detect-persistent-or-elevated-container-services-via-container-runtime-o\|DET0473 - Detect persistent or elevated container services via container runtime or cluster manipulation]] | Privilege Escalation | DET0473 | IaaS, Containers | | [[det0481-windows-com-hijacking-detection-via-registry-and-dll-load-correlation\|DET0481 - Windows COM Hijacking Detection via Registry and DLL Load Correlation]] | Privilege Escalation | DET0481 | Windows, Network | | [[det0514-detection-strategy-for-exploitation-for-privilege-escalation\|DET0514 - Detection Strategy for Exploitation for Privilege Escalation]] | Privilege Escalation | DET0514 | Windows, Linux | | [[det0534-tcc-database-manipulation-via-launchctl-and-unprotected-sip\|DET0534 - TCC Database Manipulation via Launchctl and Unprotected SIP]] | Privilege Escalation | DET0534 | Windows, macOS, Containers | | [[det0557-detection-strategy-for-event-triggered-execution-appinit-dlls-windows\|DET0557 - Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows)]] | Privilege Escalation | DET0557 | Windows | | [[det0575-detection-strategy-for-netsh-helper-dll-persistence-via-registry-and-chi\|DET0575 - Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)]] | Privilege Escalation | DET0575 | Windows, Containers | | [[det0805-detection-of-code-repositories\|DET0805 - Detection of Code Repositories]] | Reconnaissance | DET0805 | IaaS | | [[det0806-detection-of-determine-physical-locations\|DET0806 - Detection of Determine Physical Locations]] | Reconnaissance | DET0806 | Containers | | [[det0807-detection-of-identify-roles\|DET0807 - Detection of Identify Roles]] | Reconnaissance | DET0807 | Containers | | [[det0808-detection-of-vulnerabilities\|DET0808 - Detection of Vulnerabilities]] | Reconnaissance | DET0808 | Windows, Network | | [[det0809-detection-of-cdns\|DET0809 - Detection of CDNs]] | Reconnaissance | DET0809 | Windows, IaaS, Containers, Network | | [[det0810-detection-of-search-victim-owned-websites\|DET0810 - Detection of Search Victim-Owned Websites]] | Reconnaissance | DET0810 | Windows, Linux, macOS | | [[det0811-detection-of-search-engines\|DET0811 - Detection of Search Engines]] | Reconnaissance | DET0811 | IaaS | | [[det0812-detection-of-social-media\|DET0812 - Detection of Social Media]] | Reconnaissance | DET0812 | Containers | | [[det0813-detection-of-credentials\|DET0813 - Detection of Credentials]] | Reconnaissance | DET0813 | Windows, Linux, macOS | | [[det0814-detection-of-email-addresses\|DET0814 - Detection of Email Addresses]] | Reconnaissance | DET0814 | IaaS, Containers | | [[det0815-detection-of-ip-addresses\|DET0815 - Detection of IP Addresses]] | Reconnaissance | DET0815 | Windows, IaaS, Containers, Network | | [[det0816-detection-of-threat-intel-vendors\|DET0816 - Detection of Threat Intel Vendors]] | Reconnaissance | DET0816 | Containers, Network | | [[det0817-detection-of-scanning-ip-blocks\|DET0817 - Detection of Scanning IP Blocks]] | Reconnaissance | DET0817 | Windows, IaaS, Network | | [[det0818-detection-of-firmware\|DET0818 - Detection of Firmware]] | Reconnaissance | DET0818 | IaaS, Containers, Network | | [[det0819-detection-of-network-topology\|DET0819 - Detection of Network Topology]] | Reconnaissance | DET0819 | Windows, Containers, Network | | [[det0820-detection-of-client-configurations\|DET0820 - Detection of Client Configurations]] | Reconnaissance | DET0820 | Windows, Linux, macOS | | [[det0822-detection-of-search-closed-sources\|DET0822 - Detection of Search Closed Sources]] | Reconnaissance | DET0822 | Windows, Linux, macOS | | [[det0823-detection-of-phishing-for-information\|DET0823 - Detection of Phishing for Information]] | Reconnaissance | DET0823 | Windows, Linux, macOS | | [[det0826-detection-of-gather-victim-host-information\|DET0826 - Detection of Gather Victim Host Information]] | Reconnaissance | DET0826 | Windows | | [[det0828-detection-of-network-trust-dependencies\|DET0828 - Detection of Network Trust Dependencies]] | Reconnaissance | DET0828 | Windows, Containers, Network | | [[det0830-detection-of-active-scanning\|DET0830 - Detection of Active Scanning]] | Reconnaissance | DET0830 | Windows, IaaS, Containers, Network | | [[det0831-detection-of-digital-certificates\|DET0831 - Detection of Digital Certificates]] | Reconnaissance | DET0831 | IaaS | | [[det0832-detection-of-whois\|DET0832 - Detection of WHOIS]] | Reconnaissance | DET0832 | Windows, Containers, Network | | [[det0841-detection-of-gather-victim-identity-information\|DET0841 - Detection of Gather Victim Identity Information]] | Reconnaissance | DET0841 | IaaS | | [[det0843-detection-of-dns\|DET0843 - Detection of DNS]] | Reconnaissance | DET0843 | Windows, Containers, Network | | [[det0847-detection-of-domain-properties\|DET0847 - Detection of Domain Properties]] | Reconnaissance | DET0847 | Windows, IaaS, Network | | [[det0848-detection-of-digital-certificates\|DET0848 - Detection of Digital Certificates]] | Reconnaissance | DET0848 | Windows, IaaS, Network | | [[det0849-detection-of-identify-business-tempo\|DET0849 - Detection of Identify Business Tempo]] | Reconnaissance | DET0849 | Windows, Linux, IaaS, Containers, Network | | [[det0855-detection-of-business-relationships\|DET0855 - Detection of Business Relationships]] | Reconnaissance | DET0855 | Windows, Linux, macOS | | [[det0856-detection-of-search-open-websitesdomains\|DET0856 - Detection of Search Open Websites/Domains]] | Reconnaissance | DET0856 | Windows, Containers, Network | | [[det0857-detection-of-employee-names\|DET0857 - Detection of Employee Names]] | Reconnaissance | DET0857 | Windows, Linux, macOS | | [[det0858-detection-of-scan-databases\|DET0858 - Detection of Scan Databases]] | Reconnaissance | DET0858 | Windows, IaaS, Network | | [[det0859-detection-of-network-devices\|DET0859 - Detection of Network Devices]] | Reconnaissance | DET0859 | Windows, IaaS, Network | | [[det0860-detection-of-search-open-technical-databases\|DET0860 - Detection of Search Open Technical Databases]] | Reconnaissance | DET0860 | IaaS | | [[det0866-detection-of-search-threat-vendor-data\|DET0866 - Detection of Search Threat Vendor Data]] | Reconnaissance | DET0866 | Windows, Linux, macOS | | [[det0867-detection-of-vulnerability-scanning\|DET0867 - Detection of Vulnerability Scanning]] | Reconnaissance | DET0867 | Windows, IaaS, Containers, Network | | [[det0868-detection-of-wordlist-scanning\|DET0868 - Detection of Wordlist Scanning]] | Reconnaissance | DET0868 | Windows, Linux, macOS | | [[det0869-detection-of-gather-victim-network-information\|DET0869 - Detection of Gather Victim Network Information]] | Reconnaissance | DET0869 | Windows, Network | | [[det0877-detection-of-dnspassive-dns\|DET0877 - Detection of DNS/Passive DNS]] | Reconnaissance | DET0877 | Windows, Linux, macOS | | [[det0880-detection-of-purchase-technical-data\|DET0880 - Detection of Purchase Technical Data]] | Reconnaissance | DET0880 | IaaS | | [[det0889-detection-of-network-security-appliances\|DET0889 - Detection of Network Security Appliances]] | Reconnaissance | DET0889 | Windows, IaaS, Network | | [[det0890-detection-of-gather-victim-org-information\|DET0890 - Detection of Gather Victim Org Information]] | Reconnaissance | DET0890 | Windows, Linux, macOS | | [[det0824-detection-of-upload-malware\|DET0824 - Detection of Upload Malware]] | Resource Development | DET0824 | Windows, IaaS, Containers | | [[det0827-detection-of-exploits\|DET0827 - Detection of Exploits]] | Resource Development | DET0827 | Network | | [[det0829-detection-of-serverless\|DET0829 - Detection of Serverless]] | Resource Development | DET0829 | IaaS, Containers | | [[det0834-detection-of-upload-tool\|DET0834 - Detection of Upload Tool]] | Resource Development | DET0834 | Windows, IaaS, Containers | | [[det0835-detection-of-email-accounts\|DET0835 - Detection of Email Accounts]] | Resource Development | DET0835 | IaaS, Containers | | [[det0837-detection-of-botnet\|DET0837 - Detection of Botnet]] | Resource Development | DET0837 | Windows, Network | | [[det0838-detection-of-virtual-private-server\|DET0838 - Detection of Virtual Private Server]] | Resource Development | DET0838 | IaaS | | [[det0839-detection-of-stage-capabilities\|DET0839 - Detection of Stage Capabilities]] | Resource Development | DET0839 | Containers | | [[det0842-detection-of-artificial-intelligence\|DET0842 - Detection of Artificial Intelligence]] | Resource Development | DET0842 | Containers | | [[det0844-detection-of-digital-certificates\|DET0844 - Detection of Digital Certificates]] | Resource Development | DET0844 | IaaS | | [[det0845-detection-of-malware\|DET0845 - Detection of Malware]] | Resource Development | DET0845 | Windows, Linux, macOS | | [[det0846-detection-of-cloud-accounts\|DET0846 - Detection of Cloud Accounts]] | Resource Development | DET0846 | IaaS, SaaS, Network | | [[det0850-detection-of-obtain-capabilities\|DET0850 - Detection of Obtain Capabilities]] | Resource Development | DET0850 | IaaS, Containers | | [[det0851-detection-of-social-media-accounts\|DET0851 - Detection of Social Media Accounts]] | Resource Development | DET0851 | IaaS, Containers | | [[det0852-detection-of-tool\|DET0852 - Detection of Tool]] | Resource Development | DET0852 | Windows | | [[det0853-detection-of-develop-capabilities\|DET0853 - Detection of Develop Capabilities]] | Resource Development | DET0853 | Containers | | [[det0854-detection-of-virtual-private-server\|DET0854 - Detection of Virtual Private Server]] | Resource Development | DET0854 | IaaS | | [[det0861-detection-of-email-accounts\|DET0861 - Detection of Email Accounts]] | Resource Development | DET0861 | IaaS | | [[det0862-detection-of-dns-server\|DET0862 - Detection of DNS Server]] | Resource Development | DET0862 | Windows, Linux, macOS | | [[det0863-detection-of-domains\|DET0863 - Detection of Domains]] | Resource Development | DET0863 | IaaS | | [[det0864-detection-of-serverless\|DET0864 - Detection of Serverless]] | Resource Development | DET0864 | IaaS | | [[det0870-detection-of-social-media-accounts\|DET0870 - Detection of Social Media Accounts]] | Resource Development | DET0870 | Windows, Linux, macOS | | [[det0871-detection-of-server\|DET0871 - Detection of Server]] | Resource Development | DET0871 | Windows, Linux, macOS | | [[det0872-detection-of-malware\|DET0872 - Detection of Malware]] | Resource Development | DET0872 | Windows, Linux, macOS | | [[det0873-detection-of-establish-accounts\|DET0873 - Detection of Establish Accounts]] | Resource Development | DET0873 | IaaS, Containers | | [[det0874-detection-of-server\|DET0874 - Detection of Server]] | Resource Development | DET0874 | Windows, Linux, macOS | | [[det0875-detection-of-code-signing-certificates\|DET0875 - Detection of Code Signing Certificates]] | Resource Development | DET0875 | Windows, Linux, macOS, IaaS | | [[det0876-detection-of-compromise-accounts\|DET0876 - Detection of Compromise Accounts]] | Resource Development | DET0876 | IaaS | | [[det0879-detection-of-cloud-accounts\|DET0879 - Detection of Cloud Accounts]] | Resource Development | DET0879 | IaaS, Containers | | [[det0881-detection-of-seo-poisoning\|DET0881 - Detection of SEO Poisoning]] | Resource Development | DET0881 | Linux | | [[det0882-detection-of-web-services\|DET0882 - Detection of Web Services]] | Resource Development | DET0882 | IaaS, Network | | [[det0883-detection-of-botnet\|DET0883 - Detection of Botnet]] | Resource Development | DET0883 | Windows, Network | | [[det0884-detection-of-acquire-access\|DET0884 - Detection of Acquire Access]] | Resource Development | DET0884 | IaaS | | [[det0885-detection-of-compromise-infrastructure\|DET0885 - Detection of Compromise Infrastructure]] | Resource Development | DET0885 | Network | | [[det0887-detection-of-hardware\|DET0887 - Detection of Hardware]] | Resource Development | DET0887 | Containers | | [[det0888-detection-of-software\|DET0888 - Detection of Software]] | Resource Development | DET0888 | Windows, IaaS, Containers | | [[det0891-detection-of-dns-server\|DET0891 - Detection of DNS Server]] | Resource Development | DET0891 | IaaS, Network | | [[det0892-detection-of-domains\|DET0892 - Detection of Domains]] | Resource Development | DET0892 | IaaS, Containers | | [[det0893-detection-of-link-target\|DET0893 - Detection of Link Target]] | Resource Development | DET0893 | Windows, Linux, macOS | | [[det0894-detection-of-exploits\|DET0894 - Detection of Exploits]] | Resource Development | DET0894 | Containers, Network | | [[det0895-detection-of-acquire-infrastructure\|DET0895 - Detection of Acquire Infrastructure]] | Resource Development | DET0895 | IaaS, Containers |  --- ## Últimas Atualizações %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Estrategia", mitre-tactic AS "Tática", dateformat(file.mtime, "yyyy-MM-dd HH:mm") AS "Modificado" FROM "defenses/detections/detection-strategies" WHERE type = "detection-strategy" AND !contains(file.name, "_") SORT file.mtime DESC LIMIT 10 ``` %%   | Estrategia | Tática | Modificado | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | ---------------- | | [[det0302-port-knock-ruledaemon-change-first-successful-connect-t1205001\|DET0302 - Port-knock → rule/daemon change → first successful connect (T1205.001)]] | Defense Evasion | 2026-03-30 16:36 | | [[det0215-detection-of-multi-platform-file-encryption-for-impact\|DET0215 - Detection of Multi-Platform File Encryption for Impact]] | Impact | 2026-03-30 16:36 | | [[det0137-detection-strategy-for-disk-wipe-via-direct-disk-access-and-destructive-\|DET0137 - Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands]] | Impact | 2026-03-30 16:36 | | [[det0101-detection-strategy-for-lua-scripting-abuse\|DET0101 - Detection Strategy for Lua Scripting Abuse]] | Execution | 2026-03-30 16:36 | | [[det0527-right-to-left-override-masquerading-detection-via-filename-and-execution\|DET0527 - Right-to-Left Override Masquerading Detection via Filename and Execution Context]] | Defense Evasion | 2026-03-30 16:36 | | [[det0314-detection-strategy-for-network-sniffing-across-platforms\|DET0314 - Detection Strategy for Network Sniffing Across Platforms]] | Credential Access | 2026-03-30 16:36 | | [[det0437-detection-of-lsa-secrets-dumping-via-registry-and-memory-extraction\|DET0437 - Detection of LSA Secrets Dumping via Registry and Memory Extraction]] | Credential Access | 2026-03-30 16:36 | | [[det0559-multi-platform-shutdown-or-reboot-detection-via-execution-and-host-statu\|DET0559 - Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events]] | Impact | 2026-03-30 16:36 | | [[det0503-behavioral-detection-strategy-for-exfiltration-over-symmetric-encrypted-\|DET0503 - Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol]] | Exfiltration | 2026-03-30 16:36 | | [[det0295-behavioral-detection-of-thread-execution-hijacking-via-thread-suspension\|DET0295 - Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching]] | Defense Evasion | 2026-03-30 16:36 |  --- > [!tip] Priorização para o Brasil > Ao construir estrategias de detecção, priorize as técnicas mais observadas em incidentes brasileiros: [[t1566-phishing|T1566 — Phishing]], [[t1059-command-scripting-interpreter|T1059 — Command and Scripting Interpreter]], [[t1486-data-encrypted-for-impact|T1486 — Data Encrypted for Impact]], [[t1190-exploit-public-facing-application|T1190 — Exploit Public-Facing Application]] e [[T1078 — Valid Accounts]]. Essas técnicas cobrem os vetores de entrada mais comuns em campanhas de [[s0531-grandoreiro|Grandoreiro]], [[g0099-blind-eagle-apt-c-36|Blind Eagle]] e operadores de ransomware como [[lockbit|LockBit]] e [[cl0p|Cl0p]] que atuam na região. --- *Referência: [MITRE ATT&CK — Detections](https://attack.mitre.org/techniques/enterprise/). Estrategias são revisadas continuamente conforme novas técnicas e sub-técnicas são adicionadas ao framework. Para regras de detecção concretas (Sigma, KQL, SPL), consulte [[_analytics|Analytics]].*