├── .github └── FUNDING.yml ├── .gitignore ├── .gitmodules ├── .travis.yml ├── Atomic_Threat_Coverage ├── Customers │ ├── CU_0001_TESTCUSTOMER.md │ └── CU_0002_TESTCUSTOMER2.md ├── Data_Needed │ ├── DN_0001_4688_windows_process_creation.md │ ├── DN_0002_4688_windows_process_creation_with_commandline.md │ ├── DN_0003_1_windows_sysmon_process_creation.md │ ├── DN_0004_4624_windows_account_logon.md │ ├── DN_0005_7045_windows_service_insatalled.md │ ├── DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md │ ├── DN_0007_3_windows_sysmon_network_connection.md │ ├── DN_0008_4_windows_sysmon_sysmon_service_state_changed.md │ ├── DN_0009_5_windows_sysmon_process_terminated.md │ ├── DN_0010_6_windows_sysmon_driver_loaded.md │ ├── DN_0011_7_windows_sysmon_image_loaded.md │ ├── DN_0012_8_windows_sysmon_CreateRemoteThread.md │ ├── DN_0013_9_windows_sysmon_RawAccessRead.md │ ├── DN_0014_10_windows_sysmon_ProcessAccess.md │ ├── DN_0015_11_windows_sysmon_FileCreate.md │ ├── DN_0016_12_windows_sysmon_RegistryEvent.md │ ├── DN_0017_13_windows_sysmon_RegistryEvent.md │ ├── DN_0018_14_windows_sysmon_RegistryEvent.md │ ├── DN_0019_15_windows_sysmon_FileCreateStreamHash.md │ ├── DN_0020_17_windows_sysmon_PipeEvent.md │ ├── DN_0021_18_windows_sysmon_PipeEvent.md │ ├── DN_0022_19_windows_sysmon_WmiEvent.md │ ├── DN_0023_20_windows_sysmon_WmiEvent.md │ ├── DN_0024_21_windows_sysmon_WmiEvent.md │ ├── DN_0026_5136_windows_directory_service_object_was_modified.md │ ├── DN_0027_4738_user_account_was_changed.md │ ├── DN_0028_4794_directory_services_restore_mode_admin_password_set.md │ ├── DN_0029_4661_handle_to_an_object_was_requested.md │ ├── DN_0030_4662_operation_was_performed_on_an_object.md │ ├── DN_0031_7036_service_started_stopped.md │ ├── DN_0032_5145_network_share_object_was_accessed_detailed.md │ ├── DN_0033_5140_network_share_object_was_accessed.md │ ├── DN_0034_104_log_file_was_cleared.md │ ├── DN_0035_106_task_scheduler_task_registered.md │ ├── DN_0036_4104_windows_powershell_script_block.md │ ├── DN_0037_4103_windows_powershell_executing_pipeline.md │ ├── DN_0038_400_engine_state_is_changed_from_none_to_available.md │ ├── DN_0039_524_system_catalog_has_been_deleted.md │ ├── DN_0040_528_user_successfully_logged_on_to_a_computer.md │ ├── DN_0041_529_logon_failure.md │ ├── DN_0042_675_kerberos_preauthentication_failed.md │ ├── DN_0043_770_dns_server_plugin_dll_has_been_loaded.md │ ├── DN_0044_1000_application_crashed.md │ ├── DN_0045_1001_windows_error_reporting.md │ ├── DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md │ ├── DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md │ ├── DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls.md │ ├── DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.md │ ├── DN_0050_1102_audit_log_was_cleared.md │ ├── DN_0051_1121_attack_surface_reduction_blocking_mode_event.md │ ├── DN_0052_2003_query_to_load_usb_drivers.md │ ├── DN_0053_2100_pnp_or_power_operation_for_usb_device.md │ ├── DN_0054_2102_pnp_or_power_operation_for_usb_device.md │ ├── DN_0054_linux_auditd_execve.md │ ├── DN_0055_linux_auditd_read_access_to_file.md │ ├── DN_0056_linux_auditd_syscall.md │ ├── DN_0057_4625_account_failed_to_logon.md │ ├── DN_0058_4656_handle_to_an_object_was_requested.md │ ├── DN_0059_4657_registry_value_was_modified.md │ ├── DN_0060_4658_handle_to_an_object_was_closed.md │ ├── DN_0061_4660_object_was_deleted.md │ ├── DN_0062_4663_attempt_was_made_to_access_an_object.md │ ├── DN_0063_4697_service_was_installed_in_the_system.md │ ├── DN_0064_4698_scheduled_task_was_created.md │ ├── DN_0065_4701_scheduled_task_was_disabled.md │ ├── DN_0066_4704_user_right_was_assigned.md │ ├── DN_0067_4719_system_audit_policy_was_changed.md │ ├── DN_0068_4728_member_was_added_to_security_enabled_global_group.md │ ├── DN_0069_4732_member_was_added_to_security_enabled_local_group.md │ ├── DN_0070_4735_security_enabled_local_group_was_changed.md │ ├── DN_0071_4737_security_enabled_global_group_was_changed.md │ ├── DN_0072_4755_security_enabled_universal_group_was_changed.md │ ├── DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md │ ├── DN_0074_4765_sid_history_was_added_to_an_account.md │ ├── DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md │ ├── DN_0076_4768_kerberos_authentication_ticket_was_requested.md │ ├── DN_0077_4769_kerberos_service_ticket_was_requested.md │ ├── DN_0078_4771_kerberos_pre_authentication_failed.md │ ├── DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md │ ├── DN_0080_5859_wmi_activity.md │ ├── DN_0081_5861_wmi_activity.md │ ├── DN_0082_8002_ntlm_server_blocked_audit.md │ ├── DN_0083_16_access_history_in_hive_was_cleared.md │ ├── DN_0084_av_alert.md │ ├── DN_0085_22_windows_sysmon_DnsQuery.md │ ├── DN_0086_4720_user_account_was_created.md │ ├── DN_0087_5156_windows_filtering_platform_has_permitted_connection.md │ ├── DN_0088_4616_system_time_was_changed.md │ ├── DN_0089_56_terminal_server_security_layer_detected_an_error.md │ ├── DN_0090_50_terminal_server_security_layer_detected_an_error.md │ ├── DN_0091_linux_modsecurity_log.md │ ├── DN_0092_unix_generic_syslog.md │ ├── DN_0093_linux_clamav_log.md │ ├── DN_0094_linux_sshd_log.md │ ├── DN_0095_linux_auth_pam_log.md │ ├── DN_0096_linux_named_client_security_log.md │ ├── DN_0097_linux_daemon_log.md │ ├── DN_0098_linux_vsftpd_log.md │ ├── DN_0099_Bind_DNS_query.md │ ├── DN_0100_Passive_DNS_log.md │ └── DN_0108_150_dns_server_could_not_load_dll.md ├── Detection_Rules │ ├── av_exploiting.md │ ├── av_password_dumper.md │ ├── av_relevant_files.md │ ├── av_webshell.md │ ├── powershell_alternate_powershell_hosts.md │ ├── powershell_clear_powershell_history.md │ ├── powershell_create_local_user.md │ ├── powershell_data_compressed.md │ ├── powershell_dnscat_execution.md │ ├── powershell_downgrade_attack.md │ ├── powershell_exe_calling_ps.md │ ├── powershell_invoke_obfuscation_obfuscated_iex.md │ ├── powershell_malicious_commandlets.md │ ├── powershell_malicious_keywords.md │ ├── powershell_nishang_malicious_commandlets.md │ ├── powershell_ntfs_ads_access.md │ ├── powershell_prompt_credentials.md │ ├── powershell_psattack.md │ ├── powershell_remote_powershell_session.md │ ├── powershell_shellcode_b64.md │ ├── powershell_suspicious_download.md │ ├── powershell_suspicious_invocation_generic.md │ ├── powershell_suspicious_invocation_specific.md │ ├── powershell_suspicious_keywords.md │ ├── powershell_suspicious_profile_create.md │ ├── powershell_winlogon_helper_dll.md │ ├── powershell_wmimplant.md │ ├── sysmon_ads_executable.md │ ├── sysmon_alternate_powershell_hosts_moduleload.md │ ├── sysmon_alternate_powershell_hosts_pipe.md │ ├── sysmon_apt_oceanlotus_registry.md │ ├── sysmon_apt_pandemic.md │ ├── sysmon_apt_turla_namedpipes.md │ ├── sysmon_asep_reg_keys_modification.md │ ├── sysmon_cactustorch.md │ ├── sysmon_cmstp_execution.md │ ├── sysmon_cobaltstrike_process_injection.md │ ├── sysmon_createremotethread_loadlibrary.md │ ├── sysmon_cred_dump_lsass_access.md │ ├── sysmon_cred_dump_tools_dropped_files.md │ ├── sysmon_cred_dump_tools_named_pipes.md │ ├── sysmon_dhcp_calloutdll.md │ ├── sysmon_disable_security_events_logging_adding_reg_key_minint.md │ ├── sysmon_dns_serverlevelplugindll.md │ ├── sysmon_ghostpack_safetykatz.md │ ├── sysmon_hack_dumpert.md │ ├── sysmon_hack_wce.md │ ├── sysmon_in_memory_assembly_execution.md │ ├── sysmon_in_memory_powershell.md │ ├── sysmon_invoke_phantom.md │ ├── sysmon_logon_scripts_userinitmprlogonscript.md │ ├── sysmon_lsass_memdump.md │ ├── sysmon_lsass_memory_dump_file_creation.md │ ├── sysmon_mal_namedpipes.md │ ├── sysmon_malware_backconnect_ports.md │ ├── sysmon_malware_verclsid_shellcode.md │ ├── sysmon_mimikatz_inmemory_detection.md │ ├── sysmon_mimikatz_trough_winrm.md │ ├── sysmon_minidumwritedump_lsass.md │ ├── sysmon_narrator_feedback_persistance.md │ ├── sysmon_new_dll_added_to_appcertdlls_registry_key.md │ ├── sysmon_new_dll_added_to_appinit_dlls_registry_key.md │ ├── sysmon_password_dumper_lsass.md │ ├── sysmon_possible_dns_rebinding.md │ ├── sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.md │ ├── sysmon_powershell_execution_moduleload.md │ ├── sysmon_powershell_exploit_scripts.md │ ├── sysmon_powershell_network_connection.md │ ├── sysmon_quarkspw_filedump.md │ ├── sysmon_raw_disk_access_using_illegitimate_tools.md │ ├── sysmon_rdp_registry_modification.md │ ├── sysmon_rdp_reverse_tunnel.md │ ├── sysmon_rdp_settings_hijack.md │ ├── sysmon_registry_persistence_key_linking.md │ ├── sysmon_registry_persistence_search_order.md │ ├── sysmon_registry_trust_record_modification.md │ ├── sysmon_regsvr32_network_activity.md │ ├── sysmon_remote_powershell_session_network.md │ ├── sysmon_renamed_jusched.md │ ├── sysmon_renamed_powershell.md │ ├── sysmon_renamed_procdump.md │ ├── sysmon_renamed_psexec.md │ ├── sysmon_rundll32_net_connections.md │ ├── sysmon_ssp_added_lsa_config.md │ ├── sysmon_stickykey_like_backdoor.md │ ├── sysmon_susp_adsi_cache_usage.md │ ├── sysmon_susp_desktop_ini.md │ ├── sysmon_susp_download_run_key.md │ ├── sysmon_susp_driver_load.md │ ├── sysmon_susp_file_characteristics.md │ ├── sysmon_susp_image_load.md │ ├── sysmon_susp_lsass_dll_load.md │ ├── sysmon_susp_office_dotnet_assembly_dll_load.md │ ├── sysmon_susp_office_dotnet_clr_dll_load.md │ ├── sysmon_susp_office_dotnet_gac_dll_load.md │ ├── sysmon_susp_office_dsparse_dll_load.md │ ├── sysmon_susp_office_kerberos_dll_load.md │ ├── sysmon_susp_powershell_rundll32.md │ ├── sysmon_susp_procexplorer_driver_created_in_tmp_folder.md │ ├── sysmon_susp_prog_location_network_connection.md │ ├── sysmon_susp_rdp.md │ ├── sysmon_susp_reg_persist_explorer_run.md │ ├── sysmon_susp_run_key_img_folder.md │ ├── sysmon_susp_service_installed.md │ ├── sysmon_susp_winword_vbadll_load.md │ ├── sysmon_susp_winword_wmidll_load.md │ ├── sysmon_suspicious_keyboard_layout_load.md │ ├── sysmon_suspicious_outbound_kerberos_connection.md │ ├── sysmon_suspicious_remote_thread.md │ ├── sysmon_svchost_dll_search_order_hijack.md │ ├── sysmon_sysinternals_eula_accepted.md │ ├── sysmon_tsclient_filewrite_startup.md │ ├── sysmon_uac_bypass_eventvwr.md │ ├── sysmon_uac_bypass_sdclt.md │ ├── sysmon_unsigned_image_loaded_into_lsass.md │ ├── sysmon_webshell_creation_detect.md │ ├── sysmon_win_binary_github_com.md │ ├── sysmon_win_binary_susp_com.md │ ├── sysmon_win_reg_persistence.md │ ├── sysmon_wmi_event_subscription.md │ ├── sysmon_wmi_module_load.md │ ├── sysmon_wmi_persistence_commandline_event_consumer.md │ ├── sysmon_wmi_persistence_script_event_consumer_write.md │ ├── sysmon_wmi_susp_scripting.md │ ├── win_GPO_scheduledtasks.md │ ├── win_account_backdoor_dcsync_rights.md │ ├── win_account_discovery.md │ ├── win_ad_object_writedac_access.md │ ├── win_ad_replication_non_machine_account.md │ ├── win_ad_user_enumeration.md │ ├── win_admin_rdp_login.md │ ├── win_admin_share_access.md │ ├── win_alert_active_directory_user_control.md │ ├── win_alert_ad_user_backdoors.md │ ├── win_alert_enable_weak_encryption.md │ ├── win_alert_lsass_access.md │ ├── win_alert_mimikatz_keywords.md │ ├── win_alert_ruler.md │ ├── win_apt_apt29_thinktanks.md │ ├── win_apt_apt29_tor.md │ ├── win_apt_babyshark.md │ ├── win_apt_bear_activity_gtr19.md │ ├── win_apt_bluemashroom.md │ ├── win_apt_carbonpaper_turla.md │ ├── win_apt_chafer_mar18.md │ ├── win_apt_cloudhopper.md │ ├── win_apt_dragonfly.md │ ├── win_apt_elise.md │ ├── win_apt_emissarypanda_sep19.md │ ├── win_apt_empiremonkey.md │ ├── win_apt_equationgroup_dll_u_load.md │ ├── win_apt_gallium.md │ ├── win_apt_hurricane_panda.md │ ├── win_apt_judgement_panda_gtr19.md │ ├── win_apt_mustangpanda.md │ ├── win_apt_slingshot.md │ ├── win_apt_sofacy.md │ ├── win_apt_stonedrill.md │ ├── win_apt_ta17_293a_ps.md │ ├── win_apt_tropictrooper.md │ ├── win_apt_turla_commands.md │ ├── win_apt_turla_service_png.md │ ├── win_apt_unidentified_nov_18.md │ ├── win_apt_winnti_mal_hk_jan20.md │ ├── win_apt_wocao.md │ ├── win_apt_zxshell.md │ ├── win_atsvc_task.md │ ├── win_attrib_hiding_files.md │ ├── win_audit_cve.md │ ├── win_av_relevant_match.md │ ├── win_bootconf_mod.md │ ├── win_bypass_squiblytwo.md │ ├── win_change_default_file_association.md │ ├── win_cmdkey_recon.md │ ├── win_cmstp_com_object_access.md │ ├── win_control_panel_item.md │ ├── win_copying_sensitive_files_with_credential_data.md │ ├── win_crime_fireball.md │ ├── win_data_compressed_with_rar.md │ ├── win_dcsync.md │ ├── win_defender_bypass.md │ ├── win_disable_event_logging.md │ ├── win_dns_exfiltration_tools_execution.md │ ├── win_dpapi_domain_backupkey_extraction.md │ ├── win_dpapi_domain_masterkey_backup_attempt.md │ ├── win_dsquery_domain_trust_discovery.md │ ├── win_encoded_frombase64string.md │ ├── win_encoded_iex.md │ ├── win_etw_trace_evasion.md │ ├── win_exfiltration_and_tunneling_tools_execution.md │ ├── win_exploit_cve_2015_1641.md │ ├── win_exploit_cve_2017_0261.md │ ├── win_exploit_cve_2017_11882.md │ ├── win_exploit_cve_2017_8759.md │ ├── win_exploit_cve_2019_1378.md │ ├── win_exploit_cve_2019_1388.md │ ├── win_exploit_cve_2020_10189.md │ ├── win_external_device.md │ ├── win_file_permission_modifications.md │ ├── win_grabbing_sensitive_hives_via_reg.md │ ├── win_hack_bloodhound.md │ ├── win_hack_koadic.md │ ├── win_hack_rubeus.md │ ├── win_hack_secutyxploded.md │ ├── win_hack_smbexec.md │ ├── win_hh_chm.md │ ├── win_hktl_createminidump.md │ ├── win_html_help_spawn.md │ ├── win_hwp_exploits.md │ ├── win_impacket_lateralization.md │ ├── win_impacket_secretdump.md │ ├── win_indirect_cmd.md │ ├── win_install_reg_debugger_backdoor.md │ ├── win_interactive_at.md │ ├── win_invoke_obfuscation_obfuscated_iex_commandline.md │ ├── win_invoke_obfuscation_obfuscated_iex_services.md │ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.md │ ├── win_lethalhta.md │ ├── win_lm_namedpipe.md │ ├── win_local_system_owner_account_discovery.md │ ├── win_lsass_access_non_system_account.md │ ├── win_lsass_dump.md │ ├── win_mal_adwind.md │ ├── win_mal_creddumper.md │ ├── win_mal_ryuk.md │ ├── win_mal_service_installs.md │ ├── win_mal_ursnif.md │ ├── win_mal_wceaux_dll.md │ ├── win_malware_dridex.md │ ├── win_malware_dtrack.md │ ├── win_malware_emotet.md │ ├── win_malware_formbook.md │ ├── win_malware_notpetya.md │ ├── win_malware_qbot.md │ ├── win_malware_ryuk.md │ ├── win_malware_script_dropper.md │ ├── win_malware_trickbot_recon_activity.md │ ├── win_malware_wannacry.md │ ├── win_mavinject_proc_inj.md │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_installation.md │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_start.md │ ├── win_mimikatz_command_line.md │ ├── win_mmc20_lateral_movement.md │ ├── win_mmc_spawn_shell.md │ ├── win_mshta_javascript.md │ ├── win_mshta_spawn_shell.md │ ├── win_multiple_suspicious_cli.md │ ├── win_net_enum.md │ ├── win_net_ntlm_downgrade.md │ ├── win_net_user_add.md │ ├── win_netsh_fw_add.md │ ├── win_netsh_packet_capture.md │ ├── win_netsh_port_fwd.md │ ├── win_netsh_port_fwd_3389.md │ ├── win_network_sniffing.md │ ├── win_new_or_renamed_user_account_with_dollar_sign.md │ ├── win_new_service_creation.md │ ├── win_non_interactive_powershell.md │ ├── win_office_shell.md │ ├── win_office_spawn_exe_from_users_directory.md │ ├── win_overpass_the_hash.md │ ├── win_pass_the_hash.md │ ├── win_pass_the_hash_2.md │ ├── win_plugx_susp_exe_locations.md │ ├── win_possible_applocker_bypass.md │ ├── win_possible_dc_sync.md │ ├── win_possible_privilege_escalation_using_rotten_potato.md │ ├── win_powershell_amsi_bypass.md │ ├── win_powershell_audio_capture.md │ ├── win_powershell_b64_shellcode.md │ ├── win_powershell_bitsjob.md │ ├── win_powershell_dll_execution.md │ ├── win_powershell_downgrade_attack.md │ ├── win_powershell_download.md │ ├── win_powershell_frombase64string.md │ ├── win_powershell_suspicious_parameter_variation.md │ ├── win_powershell_xor_commandline.md │ ├── win_powersploit_empire_schtasks.md │ ├── win_proc_wrong_parent.md │ ├── win_process_creation_bitsadmin_download.md │ ├── win_process_dump_rundll32_comsvcs.md │ ├── win_protected_storage_service_access.md │ ├── win_psexesvc_start.md │ ├── win_quarkspwdump_clearing_hive_access_history.md │ ├── win_query_registry.md │ ├── win_rare_schtask_creation.md │ ├── win_rare_schtasks_creations.md │ ├── win_rare_service_installs.md │ ├── win_rdp_bluekeep_poc_scanner.md │ ├── win_rdp_hijack_shadowing.md │ ├── win_rdp_localhost_login.md │ ├── win_rdp_potential_cve-2019-0708.md │ ├── win_rdp_reverse_tunnel.md │ ├── win_register_new_logon_process_by_rubeus.md │ ├── win_remote_powershell_session.md │ ├── win_remote_powershell_session_process.md │ ├── win_remote_registry_management_using_reg_utility.md │ ├── win_remote_time_discovery.md │ ├── win_renamed_binary.md │ ├── win_renamed_binary_highly_relevant.md │ ├── win_renamed_paexec.md │ ├── win_run_powershell_script_from_ads.md │ ├── win_sam_registry_hive_handle_request.md │ ├── win_scm_database_handle_failure.md │ ├── win_scm_database_privileged_operation.md │ ├── win_sdbinst_shim_persistence.md │ ├── win_service_execution.md │ ├── win_service_stop.md │ ├── win_shadow_copies_access_symlink.md │ ├── win_shadow_copies_creation.md │ ├── win_shadow_copies_deletion.md │ ├── win_shell_spawn_susp_program.md │ ├── win_silenttrinity_stage_use.md │ ├── win_soundrec_audio_capture.md │ ├── win_spn_enum.md │ ├── win_susp_add_domain_trust.md │ ├── win_susp_add_sid_history.md │ ├── win_susp_backup_delete.md │ ├── win_susp_bcdedit.md │ ├── win_susp_bginfo.md │ ├── win_susp_calc.md │ ├── win_susp_cdb.md │ ├── win_susp_certutil_command.md │ ├── win_susp_certutil_encode.md │ ├── win_susp_cli_escape.md │ ├── win_susp_cmd_http_appdata.md │ ├── win_susp_codeintegrity_check_failure.md │ ├── win_susp_codepage_switch.md │ ├── win_susp_commands_recon_activity.md │ ├── win_susp_compression_params.md │ ├── win_susp_comsvcs_procdump.md │ ├── win_susp_control_dll_load.md │ ├── win_susp_copy_lateral_movement.md │ ├── win_susp_csc.md │ ├── win_susp_csc_folder.md │ ├── win_susp_curl_start_combo.md │ ├── win_susp_dctask64_proc_inject.md │ ├── win_susp_devtoolslauncher.md │ ├── win_susp_dhcp_config.md │ ├── win_susp_dhcp_config_failed.md │ ├── win_susp_direct_asep_reg_keys_modification.md │ ├── win_susp_dns_config.md │ ├── win_susp_dnx.md │ ├── win_susp_double_extension.md │ ├── win_susp_dsrm_password_change.md │ ├── win_susp_dxcap.md │ ├── win_susp_eventlog_clear.md │ ├── win_susp_eventlog_cleared.md │ ├── win_susp_exec_folder.md │ ├── win_susp_execution_path.md │ ├── win_susp_execution_path_webserver.md │ ├── win_susp_failed_logon_reasons.md │ ├── win_susp_failed_logons_single_source.md │ ├── win_susp_firewall_disable.md │ ├── win_susp_fsutil_usage.md │ ├── win_susp_gup.md │ ├── win_susp_interactive_logons.md │ ├── win_susp_iss_module_install.md │ ├── win_susp_kerberos_manipulation.md │ ├── win_susp_ldap_dataexchange.md │ ├── win_susp_local_anon_logon_created.md │ ├── win_susp_lsass_dump.md │ ├── win_susp_lsass_dump_generic.md │ ├── win_susp_mshta_execution.md │ ├── win_susp_msiexec_cwd.md │ ├── win_susp_msiexec_web_install.md │ ├── win_susp_msmpeng_crash.md │ ├── win_susp_msoffice.md │ ├── win_susp_net_execution.md │ ├── win_susp_net_recon_activity.md │ ├── win_susp_netsh_dll_persistence.md │ ├── win_susp_ntdsutil.md │ ├── win_susp_ntlm_auth.md │ ├── win_susp_odbcconf.md │ ├── win_susp_openwith.md │ ├── win_susp_outlook.md │ ├── win_susp_outlook_temp.md │ ├── win_susp_ping_hex_ip.md │ ├── win_susp_powershell_empire_launch.md │ ├── win_susp_powershell_empire_uac_bypass.md │ ├── win_susp_powershell_enc_cmd.md │ ├── win_susp_powershell_hidden_b64_cmd.md │ ├── win_susp_powershell_parent_combo.md │ ├── win_susp_procdump.md │ ├── win_susp_process_creations.md │ ├── win_susp_prog_location_process_starts.md │ ├── win_susp_ps_appdata.md │ ├── win_susp_ps_downloadfile.md │ ├── win_susp_psexec.md │ ├── win_susp_psr_capture_screenshots.md │ ├── win_susp_raccess_sensitive_fext.md │ ├── win_susp_rasdial_activity.md │ ├── win_susp_rc4_kerberos.md │ ├── win_susp_recon_activity.md │ ├── win_susp_regsvr32_anomalies.md │ ├── win_susp_renamed_dctask64.md │ ├── win_susp_rottenpotato.md │ ├── win_susp_run_locations.md │ ├── win_susp_rundll32_activity.md │ ├── win_susp_rundll32_by_ordinal.md │ ├── win_susp_sam_dump.md │ ├── win_susp_samr_pwset.md │ ├── win_susp_schtask_creation.md │ ├── win_susp_script_execution.md │ ├── win_susp_sdelete.md │ ├── win_susp_security_eventlog_cleared.md │ ├── win_susp_service_path_modification.md │ ├── win_susp_squirrel_lolbin.md │ ├── win_susp_svchost.md │ ├── win_susp_svchost_no_cli.md │ ├── win_susp_sysprep_appdata.md │ ├── win_susp_sysvol_access.md │ ├── win_susp_taskmgr_localsystem.md │ ├── win_susp_taskmgr_parent.md │ ├── win_susp_time_modification.md │ ├── win_susp_tscon_localsystem.md │ ├── win_susp_tscon_rdp_redirect.md │ ├── win_susp_use_of_csharp_console.md │ ├── win_susp_userinit_child.md │ ├── win_susp_whoami.md │ ├── win_susp_wmi_execution.md │ ├── win_susp_wmi_login.md │ ├── win_suspicious_outbound_kerberos_connection.md │ ├── win_svcctl_remote_service.md │ ├── win_syskey_registry_access.md │ ├── win_sysmon_driver_unload.md │ ├── win_system_exe_anomaly.md │ ├── win_tap_driver_installation.md │ ├── win_tap_installer_execution.md │ ├── win_task_folder_evasion.md │ ├── win_termserv_proc_spawn.md │ ├── win_tool_psexec.md │ ├── win_transferring_files_with_credential_data_via_network_shares.md │ ├── win_trust_discovery.md │ ├── win_uac_cmstp.md │ ├── win_uac_fodhelper.md │ ├── win_uac_wsreset.md │ ├── win_usb_device_plugged.md │ ├── win_user_added_to_local_administrators.md │ ├── win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.md │ ├── win_user_creation.md │ ├── win_user_driver_loaded.md │ ├── win_using_sc_to_change_sevice_image_path_by_non_admin.md │ ├── win_vul_cve_2020_0688.md │ ├── win_vul_java_remote_debugging.md │ ├── win_webshell_detection.md │ ├── win_webshell_spawn.md │ ├── win_whoami_as_system.md │ ├── win_win10_sched_task_0day.md │ ├── win_wmi_backdoor_exchange_transport_agent.md │ ├── win_wmi_persistence.md │ ├── win_wmi_persistence_script_event_consumer.md │ ├── win_wmi_spwns_powershell.md │ ├── win_wmiprvse_spawning_process.md │ ├── win_workflow_compiler.md │ ├── win_wsreset_uac_bypass.md │ └── win_xsl_script_processing.md ├── Enrichments │ ├── EN_0001_cache_sysmon_event_id_1_info.md │ ├── EN_0002_enrich_sysmon_event_id_1_with_parent_info.md │ ├── EN_0003_enrich_other_sysmon_events_with_event_id_1_data.md │ ├── EN_0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md │ └── EN_0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11.md ├── Hardening_Policies │ └── HP_0001_windows_LocalAccountTokenFilterPolicy.md ├── Logging_Policies │ ├── LP_0001_windows_audit_process_creation.md │ ├── LP_0002_windows_audit_process_creation_with_commandline.md │ ├── LP_0003_windows_sysmon_process_creation.md │ ├── LP_0004_windows_audit_logon.md │ ├── LP_0005_windows_sysmon_network_connection.md │ ├── LP_0006_windows_sysmon_image_loaded.md │ ├── LP_0007_windows_sysmon_ProcessAccess.md │ ├── LP_0008_windows_sysmon_FileCreate.md │ ├── LP_0009_windows_sysmon_PipeEvent.md │ ├── LP_0010_windows_sysmon_WmiEvent.md │ ├── LP_0011_windows_sysmon_DnsQuery.md │ ├── LP_0025_windows_audit_directory_service_changes.md │ ├── LP_0026_windows_audit_user_account_management.md │ ├── LP_0027_windows_audit_directory_service_access.md │ ├── LP_0028_windows_audit_sam.md │ ├── LP_0029_windows_audit_detailed_file_share.md │ ├── LP_0030_windows_audit_file_share.md │ ├── LP_0031_linux_auditd_execve.md │ ├── LP_0032_linux_auditd_read_access_to_file.md │ ├── LP_0033_linux_auditd_syscall.md │ ├── LP_0034_linux_named_client_security_log.md │ ├── LP_0037_windows_audit_audit_policy_change.md │ ├── LP_0038_windows_audit_kerberos_authentication_service.md │ ├── LP_0039_windows_audit_kernel_object.md │ ├── LP_0041_windows_audit_other_object_access_events.md │ ├── LP_0042_windows_audit_handle_manipulation.md │ ├── LP_0044_windows_ntlm_audit.md │ ├── LP_0045_windows_audit_filtering_platform_connection.md │ ├── LP_0046_windows_audit_security_state_change.md │ ├── LP_0047_BIND_DNS_queries.md │ ├── LP_0048_Passive_DNS_logging.md │ ├── LP_0100_windows_audit_security_system_extension.md │ ├── LP_0101_windows_audit_security_group_management.md │ ├── LP_0102_windows_audit_file_system.md │ ├── LP_0103_windows_audit_registry.md │ ├── LP_0104_windows_audit_removable_storage.md │ ├── LP_0105_windows_audit_authorization_policy_change.md │ ├── LP_0106_windows_audit_kerberos_service_ticket_operations.md │ ├── LP_0107_windows_audit_credential_validation.md │ ├── LP_0108_windows_powershell_module_logging.md │ ├── LP_0109_windows_powershell_script_block_log.md │ └── LP_0110_windows_powershell_transcript.md ├── Mitigation_Policies │ └── MP_0001_windows_asr_block_credential_stealing_from_lsass.md ├── Mitigation_Systems │ └── MS_0001_microsoft_defender_advanced_threat_protection.md ├── Response_Actions │ ├── RA_1001_practice.md │ ├── RA_1002_take_trainings.md │ ├── RA_1003_raise_personnel_awareness.md │ ├── RA_1004_make_personnel_report_suspicious_activity.md │ ├── RA_1005_set_up_relevant_data_collection.md │ ├── RA_1006_set_up_a_centralized_long-term_log_storage.md │ ├── RA_1007_develop_communication_map.md │ ├── RA_1008_make_sure_there_are_backups.md │ ├── RA_1009_get_network_architecture_map.md │ ├── RA_1010_get_access_control_matrix.md │ ├── RA_1011_develop_assets_knowledge_base.md │ ├── RA_1012_check_analysis_toolset.md │ ├── RA_1013_access_vulnerability_management_system_logs.md │ ├── RA_1014_connect_with_trusted_communities.md │ ├── RA_1101_access_external_network_flow_logs.md │ ├── RA_1102_access_internal_network_flow_logs.md │ ├── RA_1103_access_internal_http_logs.md │ ├── RA_1104_access_external_http_logs.md │ ├── RA_1105_access_internal_dns_logs.md │ ├── RA_1106_access_external_dns_logs.md │ ├── RA_1107_access_vpn_logs.md │ ├── RA_1108_access_dhcp_logs.md │ ├── RA_1109_access_internal_packet_capture_data.md │ ├── RA_1110_access_external_packet_capture_data.md │ ├── RA_1111_get_ability_to_block_external_ip_address.md │ ├── RA_1112_get_ability_to_block_internal_ip_address.md │ ├── RA_1113_get_ability_to_block_external_domain.md │ ├── RA_1114_get_ability_to_block_internal_domain.md │ ├── RA_1115_get_ability_to_block_external_url.md │ ├── RA_1116_get_ability_to_block_internal_url.md │ ├── RA_1117_get_ability_to_block_port_external_communication.md │ ├── RA_1118_get_ability_to_block_port_internal_communication.md │ ├── RA_1119_get_ability_to_block_user_external_communication.md │ ├── RA_1120_get_ability_to_block_user_internal_communication.md │ ├── RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md │ ├── RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md │ ├── RA_1123_get_ability_to_list_data_transferred.md │ ├── RA_1124_get_ability_to_collect_transferred_data.md │ ├── RA_1125_get_ability_to_identify_transferred_data.md │ ├── RA_1126_find_data_transferred_by_content_pattern.md │ ├── RA_1201_get_ability_to_list_users_opened_email_message.md │ ├── RA_1202_get_ability_to_list_email_message_receivers.md │ ├── RA_1203_get_ability_to_block_email_domain.md │ ├── RA_1204_get_ability_to_block_email_sender.md │ ├── RA_1205_get_ability_to_delete_email_message.md │ ├── RA_1206_get_ability_to_quarantine_email_message.md │ ├── RA_1207_get_ability_to_collect_email_message.md │ ├── RA_1301_get_ability_to_list_files_created.md │ ├── RA_1302_get_ability_to_list_files_modified.md │ ├── RA_1303_get_ability_to_list_files_deleted.md │ ├── RA_1304_get_ability_to_list_files_downloaded.md │ ├── RA_1305_get_ability_to_list_files_with_tampered_timestamps.md │ ├── RA_1306_get_ability_to_find_file_by_path.md │ ├── RA_1307_get_ability_to_find_file_by_metadata.md │ ├── RA_1308_get_ability_to_find_file_by_hash.md │ ├── RA_1309_get_ability_to_find_file_by_format.md │ ├── RA_1310_get_ability_to_find_file_by_content_pattern.md │ ├── RA_1311_get_ability_to_collect_file.md │ ├── RA_1312_get_ability_to_quarantine_file_by_path.md │ ├── RA_1313_get_ability_to_quarantine_file_by_hash.md │ ├── RA_1314_get_ability_to_quarantine_file_by_format.md │ ├── RA_1315_get_ability_to_quarantine_file_by_content_pattern.md │ ├── RA_1316_get_ability_to_remove_file.md │ ├── RA_1317_get_ability_to_analyse_file_hash.md │ ├── RA_1318_get_ability_to_analyse_windows_pe.md │ ├── RA_1319_get_ability_to_analyse_macos_macho.md │ ├── RA_1320_get_ability_to_analyse_unix_elf.md │ ├── RA_1321_get_ability_to_analyse_ms_office_file.md │ ├── RA_1322_get_ability_to_analyse_pdf_file.md │ ├── RA_1323_get_ability_to_analyse_script.md │ ├── RA_1401_get_ability_to_list_processes_executed.md │ ├── RA_1402_get_ability_to_find_process_by_executable_path.md │ ├── RA_1403_get_ability_to_find_process_by_executable_metadata.md │ ├── RA_1404_get_ability_to_find_process_by_executable_hash.md │ ├── RA_1405_get_ability_to_find_process_by_executable_format.md │ ├── RA_1406_get_ability_to_find_process_by_executable_content_pattern.md │ ├── RA_1407_get_ability_to_block_process_by_executable_path.md │ ├── RA_1408_get_ability_to_block_process_by_executable_metadata.md │ ├── RA_1409_get_ability_to_block_process_by_executable_hash.md │ ├── RA_1410_get_ability_to_block_process_by_executable_format.md │ ├── RA_1411_get_ability_to_block_process_by_executable_content_pattern.md │ ├── RA_1501_manage_remote_computer_management_system_policies.md │ ├── RA_1502_get_ability_to_list_registry_keys_modified.md │ ├── RA_1503_get_ability_to_list_registry_keys_deleted.md │ ├── RA_1504_get_ability_to_list_registry_keys_accessed.md │ ├── RA_1505_get_ability_to_list_registry_keys_created.md │ ├── RA_1506_get_ability_to_list_services_created.md │ ├── RA_1507_get_ability_to_list_services_modified.md │ ├── RA_1508_get_ability_to_list_services_deleted.md │ ├── RA_1509_get_ability_to_remove_registry_key.md │ ├── RA_1510_get_ability_to_remove_service.md │ ├── RA_1601_manage_identity_management_system.md │ ├── RA_1602_get_ability_to_lock_user_account.md │ ├── RA_1603_get_ability_to_list_users_authenticated.md │ ├── RA_1604_get_ability_to_revoke_authentication_credentials.md │ ├── RA_1605_get_ability_to_remove_user_account.md │ ├── RA_2001_list_victims_of_security_alert.md │ ├── RA_2002_list_host_vulnerabilities.md │ ├── RA_2003_put_compromised_accounts_on_monitoring.md │ ├── RA_2101_list_hosts_communicated_with_internal_domain.md │ ├── RA_2102_list_hosts_communicated_with_internal_ip.md │ ├── RA_2103_list_hosts_communicated_with_internal_url.md │ ├── RA_2104_analyse_domain_name.md │ ├── RA_2105_analyse_ip.md │ ├── RA_2106_analyse_uri.md │ ├── RA_2107_list_hosts_communicated_by_port.md │ ├── RA_2108_list_hosts_connected_to_vpn.md │ ├── RA_2109_list_hosts_connected_to_intranet.md │ ├── RA_2110_list_data_transferred.md │ ├── RA_2111_collect_transferred_data.md │ ├── RA_2112_identify_transferred_data.md │ ├── RA_2113_list_hosts_communicated_with_external_domain.md │ ├── RA_2114_list_hosts_communicated_with_external_ip.md │ ├── RA_2115_list_hosts_communicated_with_external_url.md │ ├── RA_2116_find_data_transferred_by_content_pattern.md │ ├── RA_2201_list_users_opened_email_message.md │ ├── RA_2202_collect_email_message.md │ ├── RA_2203_list_email_message_receivers.md │ ├── RA_2204_make_sure_email_message_is_phishing.md │ ├── RA_2205_extract_observables_from_email_message.md │ ├── RA_2301_list_files_created.md │ ├── RA_2302_list_files_modified.md │ ├── RA_2303_list_files_deleted.md │ ├── RA_2304_list_files_downloaded.md │ ├── RA_2305_list_files_with_tampered_timestamps.md │ ├── RA_2306_find_file_by_path.md │ ├── RA_2307_find_file_by_metadata.md │ ├── RA_2308_find_file_by_hash.md │ ├── RA_2309_find_file_by_format.md │ ├── RA_2310_find_file_by_content_pattern.md │ ├── RA_2311_collect_file.md │ ├── RA_2312_analyse_file_hash.md │ ├── RA_2313_analyse_windows_pe.md │ ├── RA_2314_analyse_macos_macho.md │ ├── RA_2315_analyse_unix_elf.md │ ├── RA_2316_analyse_ms_office_file.md │ ├── RA_2317_analyse_pdf_file.md │ ├── RA_2318_analyse_script.md │ ├── RA_2401_list_processes_executed.md │ ├── RA_2402_find_process_by_executable_path.md │ ├── RA_2403_find_process_by_executable_metadata.md │ ├── RA_2404_find_process_by_executable_hash.md │ ├── RA_2405_find_process_by_executable_format.md │ ├── RA_2406_find_process_by_executable_content_pattern.md │ ├── RA_2501_list_registry_keys_modified.md │ ├── RA_2502_list_registry_keys_deleted.md │ ├── RA_2503_list_registry_keys_accessed.md │ ├── RA_2504_list_registry_keys_created.md │ ├── RA_2505_list_services_created.md │ ├── RA_2506_list_services_modified.md │ ├── RA_2507_list_services_deleted.md │ ├── RA_2601_list_users_authenticated.md │ ├── RA_3001_patch_vulnerability.md │ ├── RA_3101_block_external_ip_address.md │ ├── RA_3102_block_internal_ip_address.md │ ├── RA_3103_block_external_domain.md │ ├── RA_3104_block_internal_domain.md │ ├── RA_3105_block_external_url.md │ ├── RA_3106_block_internal_url.md │ ├── RA_3107_block_port_external_communication.md │ ├── RA_3108_block_port_internal_communication.md │ ├── RA_3109_block_user_external_communication.md │ ├── RA_3110_block_user_internal_communication.md │ ├── RA_3111_block_data_transferring_by_content_pattern.md │ ├── RA_3201_block_domain_on_email.md │ ├── RA_3202_block_sender_on_email.md │ ├── RA_3203_quarantine_email_message.md │ ├── RA_3301_quarantine_file_by_format.md │ ├── RA_3302_quarantine_file_by_hash.md │ ├── RA_3303_quarantine_file_by_path.md │ ├── RA_3304_quarantine_file_by_content_pattern.md │ ├── RA_3401_block_process_by_executable_path.md │ ├── RA_3402_block_process_by_executable_metadata.md │ ├── RA_3403_block_process_by_executable_hash.md │ ├── RA_3404_block_process_by_executable_format.md │ ├── RA_3405_block_process_by_executable_content_pattern.md │ ├── RA_3501_disable_system_service.md │ ├── RA_3601_lock_user_account.md │ ├── RA_4001_report_incident_to_external_companies.md │ ├── RA_4101_remove_rogue_network_device.md │ ├── RA_4201_delete_email_message.md │ ├── RA_4301_remove_file.md │ ├── RA_4501_remove_registry_key.md │ ├── RA_4502_remove_service.md │ ├── RA_4601_revoke_authentication_credentials.md │ ├── RA_4602_remove_user_account.md │ ├── RA_5001_reinstall_host_from_golden_image.md │ ├── RA_5002_restore_data_from_backup.md │ ├── RA_5101_unblock_blocked_ip.md │ ├── RA_5102_unblock_blocked_domain.md │ ├── RA_5103_unblock_blocked_url.md │ ├── RA_5104_unblock_blocked_port.md │ ├── RA_5105_unblock_blocked_user.md │ ├── RA_5201_unblock_domain_on_email.md │ ├── RA_5202_unblock_sender_on_email.md │ ├── RA_5203_restore_quarantined_email_message.md │ ├── RA_5301_restore_quarantined_file.md │ ├── RA_5401_unblock_blocked_process.md │ ├── RA_5501_enable_disabled_service.md │ ├── RA_5601_unlock_locked_user_account.md │ ├── RA_6001_develop_incident_report.md │ └── RA_6002_conduct_lessons_learned_exercise.md ├── Response_Playbooks │ └── RP_0001_phishing_email.md ├── Response_Stages │ ├── RS0001.md │ ├── RS0002.md │ ├── RS0003.md │ ├── RS0004.md │ ├── RS0005.md │ ├── RS0006.md │ └── responsestages.md ├── Triggers │ ├── T1002.md │ ├── T1003.md │ ├── T1004.md │ ├── T1005.md │ ├── T1007.md │ ├── T1009.md │ ├── T1010.md │ ├── T1012.md │ ├── T1014.md │ ├── T1015.md │ ├── T1016.md │ ├── T1018.md │ ├── T1022.md │ ├── T1023.md │ ├── T1027.md │ ├── T1028.md │ ├── T1030.md │ ├── T1031.md │ ├── T1032.md │ ├── T1033.md │ ├── T1035.md │ ├── T1036.md │ ├── T1037.md │ ├── T1038.md │ ├── T1040.md │ ├── T1042.md │ ├── T1044.md │ ├── T1046.md │ ├── T1047.md │ ├── T1048.md │ ├── T1049.md │ ├── T1050.md │ ├── T1053.md │ ├── T1055.md │ ├── T1056.md │ ├── T1057.md │ ├── T1058.md │ ├── T1059.md │ ├── T1060.md │ ├── T1062.md │ ├── T1063.md │ ├── T1064.md │ ├── T1065.md │ ├── T1069.md │ ├── T1070.md │ ├── T1071.md │ ├── T1073.md │ ├── T1074.md │ ├── T1075.md │ ├── T1076.md │ ├── T1077.md │ ├── T1081.md │ ├── T1082.md │ ├── T1083.md │ ├── T1084.md │ ├── T1085.md │ ├── T1086.md │ ├── T1087.md │ ├── T1088.md │ ├── T1089.md │ ├── T1090.md │ ├── T1093.md │ ├── T1095.md │ ├── T1096.md │ ├── T1097.md │ ├── T1098.md │ ├── T1099.md │ ├── T1100.md │ ├── T1101.md │ ├── T1102.md │ ├── T1103.md │ ├── T1105.md │ ├── T1107.md │ ├── T1110.md │ ├── T1112.md │ ├── T1113.md │ ├── T1114.md │ ├── T1115.md │ ├── T1117.md │ ├── T1118.md │ ├── T1119.md │ ├── T1121.md │ ├── T1123.md │ ├── T1124.md │ ├── T1126.md │ ├── T1127.md │ ├── T1128.md │ ├── T1130.md │ ├── T1132.md │ ├── T1135.md │ ├── T1136.md │ ├── T1137.md │ ├── T1138.md │ ├── T1139.md │ ├── T1140.md │ ├── T1141.md │ ├── T1142.md │ ├── T1143.md │ ├── T1144.md │ ├── T1145.md │ ├── T1146.md │ ├── T1147.md │ ├── T1148.md │ ├── T1150.md │ ├── T1151.md │ ├── T1152.md │ ├── T1153.md │ ├── T1154.md │ ├── T1155.md │ ├── T1156.md │ ├── T1158.md │ ├── T1159.md │ ├── T1160.md │ ├── T1163.md │ ├── T1164.md │ ├── T1165.md │ ├── T1166.md │ ├── T1168.md │ ├── T1169.md │ ├── T1170.md │ ├── T1173.md │ ├── T1174.md │ ├── T1176.md │ ├── T1179.md │ ├── T1180.md │ ├── T1183.md │ ├── T1191.md │ ├── T1193.md │ ├── T1196.md │ ├── T1197.md │ ├── T1201.md │ ├── T1202.md │ ├── T1204.md │ ├── T1206.md │ ├── T1207.md │ ├── T1208.md │ ├── T1214.md │ ├── T1215.md │ ├── T1216.md │ ├── T1217.md │ ├── T1218.md │ ├── T1219.md │ ├── T1220.md │ ├── T1222.md │ ├── T1223.md │ ├── T1482.md │ ├── T1485.md │ ├── T1489.md │ ├── T1490.md │ ├── T1496.md │ ├── T1500.md │ ├── T1501.md │ ├── T1502.md │ ├── T1504.md │ ├── T1505.md │ ├── T1518.md │ ├── T1519.md │ ├── T1529.md │ └── T1531.md ├── Use_Cases │ ├── UC_0001_TESTUSECASE.md │ └── UC_0002_INITIALACCESS.md └── index.md ├── CONTRIBUTING.md ├── DEVELOP.md ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── README_PL.md ├── README_RU.md ├── analytics ├── generated │ ├── analytics.csv │ ├── atc_es_index.json │ ├── attack_navigator_profiles │ │ ├── atc_attack_navigator_profile.json │ │ ├── atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json │ │ └── atc_attack_navigator_profile_CU_0002_TESTCUSTOMER2.json │ ├── pivoting.csv │ ├── react_navigator_profile.json │ └── thehive_templates │ │ └── RP_0001_phishing_email.json └── predefined │ ├── atc-analytics-dashboard.json │ ├── atc-analytics-index-pattern.json │ └── atc-analytics-index-template.json ├── customers ├── CU_0001_TESTCUSTOMER.yml ├── CU_0002_TESTCUSTOMER2.yml └── customer.yml.template ├── docker-entrypoint.sh ├── images ├── analytics_pth_v1.png ├── atc_analytics_dashboard.png ├── atc_scheme_v2.jpg ├── cu_confluence_v1.png ├── cu_markdown_v1.png ├── cu_yaml_v1.png ├── dashboard_v1.png ├── dashboard_yaml_v1.png ├── dataneeded_v1.png ├── dn_confluence_v1.png ├── dn_markdown_v1.png ├── dr_confluence_v1.png ├── dr_markdown_v1.png ├── en_confluence_v1.png ├── en_markdown_v1.png ├── en_yaml_v1.png ├── loggingpolicy.png ├── logo_v1.png ├── lp_confluence_v1.png ├── lp_markdown_v1.png ├── navigator_v1.png ├── pivoting_hash_v1.png ├── pivoting_parent_v1.png ├── ra_confluence_v3.png ├── ra_markdown_v3.png ├── ra_yaml_v3.png ├── rp_confluence_v3.png ├── rp_markdown_v3.png ├── rp_yaml_v3.png ├── sigma_rule.png ├── tg_markdown_v1.png ├── thehive_case_task_v1.png ├── thehive_case_template_v1.png ├── trigger.png ├── trigger_confluence_v1.png └── visualisation_yaml_v1.png ├── main.py ├── mkdocs.yml ├── requirements.txt ├── run_tests.sh ├── scripts ├── amitt_mapping.py ├── atc_visualizations │ ├── DEVELOPMENT_README.md │ ├── README.md │ ├── TODO.md │ ├── aggs.py │ ├── base.py │ ├── dashboard.py │ ├── kibana_api.py │ ├── metrics.py │ ├── params.py │ ├── visualisation.py │ └── yaml_handler.py ├── atcutils.py ├── attack_mapping.py ├── attack_navigator_export.py ├── attack_navigator_per_customer_export.py ├── config.default.yml ├── customer.py ├── detectionrule.py ├── es_index_export.py ├── hardeningpolicy.py ├── init_confluence.py ├── init_markdown.py ├── mitigationpolicy.py ├── mitigationsystem.py ├── populateconfluence.py ├── populatemarkdown.py ├── sigma_mapping.py ├── templates │ ├── confluence_alert_template.html.j2 │ ├── confluence_customer_template.html.j2 │ ├── confluence_hardeningpolicies_template.html.j2 │ ├── confluence_mitigationpolicies_template.html.j2 │ ├── confluence_mitigationsystems_template.html.j2 │ ├── confluence_trigger_template.html.j2 │ ├── confluence_usecase_template.html.j2 │ ├── markdown_alert_template.md.j2 │ ├── markdown_customer_template.md.j2 │ ├── markdown_hardeningpolicies_template.md.j2 │ ├── markdown_mitigationpolicies_template.md.j2 │ ├── markdown_mitigationsystems_template.md.j2 │ └── markdown_usecase_template.md.j2 ├── triggers.py ├── update_amitt_mapping.py ├── update_attack_mapping.py └── usecases.py ├── tests ├── __init__.py ├── conftest.py └── test_syntax.py ├── use_cases ├── UC_0001_TESTUSECASE.yml └── UC_0002_INITIALACCESS.yml └── visualizations ├── dashboards ├── examples │ └── test_dashboard_document.yml └── os_hunting_dashboard.yml └── visualizations ├── examples ├── metric.yml ├── pie.yml ├── saved_search.yml └── vert_bar.yml ├── fileshares_operations.yml ├── local_file_operations.yml ├── logon_activities.yml ├── pipe_events.yml ├── powershell_activity.yml ├── process_activities.yml ├── process_execution.yml ├── rdp_activity.yml ├── registry_operations.yml ├── services_and_drivers_operations.yml ├── tasks_operations.yml └── wmi_activity.yml /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | patreon: yugoslavskiy -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/.gitignore -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/.gitmodules -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/.travis.yml -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Customers/CU_0002_TESTCUSTOMER2.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Customers/CU_0002_TESTCUSTOMER2.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0044_1000_application_crashed.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0044_1000_application_crashed.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0045_1001_windows_error_reporting.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0045_1001_windows_error_reporting.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0084_av_alert.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0084_av_alert.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0091_linux_modsecurity_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0091_linux_modsecurity_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0092_unix_generic_syslog.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0092_unix_generic_syslog.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0093_linux_clamav_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0093_linux_clamav_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0094_linux_sshd_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0094_linux_sshd_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0095_linux_auth_pam_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0095_linux_auth_pam_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0097_linux_daemon_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0097_linux_daemon_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0098_linux_vsftpd_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0098_linux_vsftpd_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/av_webshell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_create_local_user.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_create_local_user.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_dnscat_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_dnscat_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_oceanlotus_registry.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_oceanlotus_registry.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_pandemic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_pandemic.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_turla_namedpipes.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_turla_namedpipes.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_cred_dump_lsass_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_cred_dump_lsass_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_dumpert.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_dumpert.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_wce.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_wce.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_in_memory_powershell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_in_memory_powershell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_invoke_phantom.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_invoke_phantom.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_registry_modification.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_registry_modification.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_regsvr32_network_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_regsvr32_network_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_jusched.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_jusched.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_adsi_cache_usage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_adsi_cache_usage.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_desktop_ini.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_desktop_ini.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_service_installed.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_service_installed.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_winword_vbadll_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_winword_vbadll_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_winword_wmidll_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_winword_wmidll_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_module_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_module_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_ad_object_writedac_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_ad_object_writedac_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_thinktanks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_thinktanks.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_tor.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_tor.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_babyshark.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_babyshark.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_carbonpaper_turla.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_carbonpaper_turla.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_chafer_mar18.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_chafer_mar18.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_cloudhopper.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_cloudhopper.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_dragonfly.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_dragonfly.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_elise.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_elise.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_emissarypanda_sep19.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_emissarypanda_sep19.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_empiremonkey.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_empiremonkey.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_gallium.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_gallium.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_hurricane_panda.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_hurricane_panda.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_judgement_panda_gtr19.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_judgement_panda_gtr19.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_slingshot.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_slingshot.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_sofacy.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_sofacy.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_stonedrill.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_stonedrill.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_ta17_293a_ps.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_ta17_293a_ps.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_tropictrooper.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_tropictrooper.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_commands.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_commands.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_service_png.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_service_png.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_unidentified_nov_18.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_unidentified_nov_18.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_winnti_mal_hk_jan20.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_winnti_mal_hk_jan20.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_wocao.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_wocao.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_apt_zxshell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_apt_zxshell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_audit_cve.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_audit_cve.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_bootconf_mod.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_bootconf_mod.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_crime_fireball.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_crime_fireball.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_defender_bypass.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_defender_bypass.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_external_device.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_external_device.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hack_bloodhound.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hack_bloodhound.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hack_koadic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hack_koadic.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hack_secutyxploded.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hack_secutyxploded.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hh_chm.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hh_chm.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hktl_createminidump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hktl_createminidump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_indirect_cmd.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_indirect_cmd.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_interactive_at.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_interactive_at.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_lsass_dump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_lsass_dump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_ryuk.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_ryuk.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mimikatz_command_line.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mimikatz_command_line.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mmc20_lateral_movement.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mmc20_lateral_movement.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mshta_javascript.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mshta_javascript.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_net_enum.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_net_enum.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_net_user_add.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_net_user_add.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_new_service_creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_new_service_creation.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_possible_dc_sync.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_possible_dc_sync.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_powershell_audio_capture.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_powershell_audio_capture.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_powershell_bitsjob.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_powershell_bitsjob.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rdp_hijack_shadowing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rdp_hijack_shadowing.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_remote_time_discovery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_remote_time_discovery.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_service_stop.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_service_stop.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_creation.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_deletion.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_deletion.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_silenttrinity_stage_use.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_silenttrinity_stage_use.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_soundrec_audio_capture.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_soundrec_audio_capture.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_add_domain_trust.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_domain_trust.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_start_combo.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_start_combo.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dctask64_proc_inject.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dctask64_proc_inject.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump_generic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump_generic.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_dctask64.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_dctask64.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_login.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_login.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_syskey_registry_access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_syskey_registry_access.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_tap_driver_installation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_tap_driver_installation.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_tap_installer_execution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_tap_installer_execution.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_trust_discovery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_trust_discovery.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_uac_cmstp.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_uac_cmstp.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_uac_fodhelper.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_uac_fodhelper.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_uac_wsreset.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_uac_wsreset.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_user_driver_loaded.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_user_driver_loaded.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_vul_cve_2020_0688.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_vul_cve_2020_0688.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_whoami_as_system.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_whoami_as_system.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_wmiprvse_spawning_process.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_wmiprvse_spawning_process.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_wsreset_uac_bypass.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_wsreset_uac_bypass.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0004_windows_audit_logon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0004_windows_audit_logon.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0028_windows_audit_sam.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0028_windows_audit_sam.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0031_linux_auditd_execve.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0031_linux_auditd_execve.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0033_linux_auditd_syscall.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0033_linux_auditd_syscall.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0044_windows_ntlm_audit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0044_windows_ntlm_audit.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0047_BIND_DNS_queries.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0047_BIND_DNS_queries.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Logging_Policies/LP_0048_Passive_DNS_logging.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Logging_Policies/LP_0048_Passive_DNS_logging.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_1002_take_trainings.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_1002_take_trainings.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/RS0001.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/RS0001.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/RS0002.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/RS0002.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/RS0003.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/RS0003.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/RS0004.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/RS0004.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/RS0005.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/RS0005.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/RS0006.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/RS0006.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Response_Stages/responsestages.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Response_Stages/responsestages.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1002.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1002.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1003.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1003.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1004.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1004.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1005.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1005.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1007.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1007.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1009.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1009.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1010.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1010.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1012.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1012.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1014.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1014.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1015.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1015.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1016.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1016.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1018.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1018.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1022.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1022.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1023.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1023.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1027.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1027.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1028.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1028.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1030.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1030.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1031.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1031.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1032.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1032.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1033.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1033.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1035.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1035.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1036.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1036.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1037.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1037.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1038.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1038.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1040.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1040.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1042.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1042.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1044.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1044.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1046.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1046.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1047.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1047.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1048.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1048.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1049.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1049.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1050.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1050.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1053.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1053.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1055.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1055.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1056.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1056.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1057.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1057.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1058.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1058.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1059.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1059.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1060.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1060.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1062.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1062.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1063.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1063.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1064.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1064.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1065.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1065.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1069.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1069.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1070.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1070.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1071.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1071.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1073.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1073.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1074.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1074.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1075.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1075.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1076.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1076.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1077.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1077.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1081.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1081.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1082.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1082.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1083.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1083.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1084.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1084.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1085.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1085.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1086.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1086.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1087.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1087.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1088.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1088.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1089.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1089.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1090.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1090.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1093.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1093.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1095.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1095.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1096.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1096.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1097.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1097.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1098.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1098.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1099.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1099.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1100.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1100.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1101.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1101.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1102.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1102.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1103.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1103.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1105.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1105.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1107.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1107.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1110.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1110.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1112.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1112.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1113.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1113.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1114.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1114.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1115.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1115.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1117.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1117.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1118.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1118.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1119.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1119.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1121.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1121.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1123.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1123.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1124.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1124.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1126.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1126.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1127.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1127.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1128.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1128.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1130.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1130.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1132.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1132.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1135.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1135.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1136.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1136.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1137.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1137.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1138.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1138.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1139.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1139.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1140.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1140.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1141.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1141.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1142.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1142.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1143.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1143.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1144.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1144.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1145.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1145.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1146.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1146.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1147.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1147.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1148.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1148.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1150.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1150.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1151.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1151.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1152.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1152.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1153.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1153.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1154.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1154.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1155.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1155.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1156.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1156.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1158.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1158.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1159.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1159.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1160.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1160.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1163.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1163.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1164.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1164.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1165.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1165.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1166.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1166.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1168.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1168.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1169.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1169.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1170.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1170.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1173.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1173.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1174.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1174.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1176.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1176.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1179.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1179.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1180.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1180.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1183.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1183.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1191.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1191.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1193.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1193.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1196.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1196.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1197.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1197.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1201.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1201.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1202.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1202.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1204.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1204.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1206.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1206.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1207.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1207.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1208.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1208.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1214.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1214.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1215.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1215.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1216.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1216.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1217.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1217.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1218.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1218.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1219.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1219.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1220.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1220.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1222.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1222.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1223.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1223.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1482.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1482.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1485.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1485.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1489.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1489.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1490.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1490.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1496.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1496.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1500.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1500.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1501.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1501.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1502.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1502.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1504.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1504.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1505.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1505.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1518.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1518.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1519.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1519.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1529.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1529.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Triggers/T1531.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Triggers/T1531.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Use_Cases/UC_0001_TESTUSECASE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Use_Cases/UC_0001_TESTUSECASE.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/Use_Cases/UC_0002_INITIALACCESS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Atomic_Threat_Coverage/Use_Cases/UC_0002_INITIALACCESS.md -------------------------------------------------------------------------------- /Atomic_Threat_Coverage/index.md: -------------------------------------------------------------------------------- 1 | # ATC 2 | 3 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /DEVELOP.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/DEVELOP.md -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Dockerfile -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/LICENSE -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/README.md -------------------------------------------------------------------------------- /README_PL.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/README_PL.md -------------------------------------------------------------------------------- /README_RU.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/README_RU.md -------------------------------------------------------------------------------- /analytics/generated/analytics.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/generated/analytics.csv -------------------------------------------------------------------------------- /analytics/generated/atc_es_index.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/generated/atc_es_index.json -------------------------------------------------------------------------------- /analytics/generated/pivoting.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/generated/pivoting.csv -------------------------------------------------------------------------------- /analytics/generated/react_navigator_profile.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/generated/react_navigator_profile.json -------------------------------------------------------------------------------- /analytics/generated/thehive_templates/RP_0001_phishing_email.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/generated/thehive_templates/RP_0001_phishing_email.json -------------------------------------------------------------------------------- /analytics/predefined/atc-analytics-dashboard.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/predefined/atc-analytics-dashboard.json -------------------------------------------------------------------------------- /analytics/predefined/atc-analytics-index-pattern.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/predefined/atc-analytics-index-pattern.json -------------------------------------------------------------------------------- /analytics/predefined/atc-analytics-index-template.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/analytics/predefined/atc-analytics-index-template.json -------------------------------------------------------------------------------- /customers/CU_0001_TESTCUSTOMER.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/customers/CU_0001_TESTCUSTOMER.yml -------------------------------------------------------------------------------- /customers/CU_0002_TESTCUSTOMER2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/customers/CU_0002_TESTCUSTOMER2.yml -------------------------------------------------------------------------------- /customers/customer.yml.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/customers/customer.yml.template -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/docker-entrypoint.sh -------------------------------------------------------------------------------- /images/analytics_pth_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/analytics_pth_v1.png -------------------------------------------------------------------------------- /images/atc_analytics_dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/atc_analytics_dashboard.png -------------------------------------------------------------------------------- /images/atc_scheme_v2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/atc_scheme_v2.jpg -------------------------------------------------------------------------------- /images/cu_confluence_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/cu_confluence_v1.png -------------------------------------------------------------------------------- /images/cu_markdown_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/cu_markdown_v1.png -------------------------------------------------------------------------------- /images/cu_yaml_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/cu_yaml_v1.png -------------------------------------------------------------------------------- /images/dashboard_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dashboard_v1.png -------------------------------------------------------------------------------- /images/dashboard_yaml_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dashboard_yaml_v1.png -------------------------------------------------------------------------------- /images/dataneeded_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dataneeded_v1.png -------------------------------------------------------------------------------- /images/dn_confluence_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dn_confluence_v1.png -------------------------------------------------------------------------------- /images/dn_markdown_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dn_markdown_v1.png -------------------------------------------------------------------------------- /images/dr_confluence_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dr_confluence_v1.png -------------------------------------------------------------------------------- /images/dr_markdown_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/dr_markdown_v1.png -------------------------------------------------------------------------------- /images/en_confluence_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/en_confluence_v1.png -------------------------------------------------------------------------------- /images/en_markdown_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/en_markdown_v1.png -------------------------------------------------------------------------------- /images/en_yaml_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/en_yaml_v1.png -------------------------------------------------------------------------------- /images/loggingpolicy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/loggingpolicy.png -------------------------------------------------------------------------------- /images/logo_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/logo_v1.png -------------------------------------------------------------------------------- /images/lp_confluence_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/lp_confluence_v1.png -------------------------------------------------------------------------------- /images/lp_markdown_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/lp_markdown_v1.png -------------------------------------------------------------------------------- /images/navigator_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/navigator_v1.png -------------------------------------------------------------------------------- /images/pivoting_hash_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/pivoting_hash_v1.png -------------------------------------------------------------------------------- /images/pivoting_parent_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/pivoting_parent_v1.png -------------------------------------------------------------------------------- /images/ra_confluence_v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/ra_confluence_v3.png -------------------------------------------------------------------------------- /images/ra_markdown_v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/ra_markdown_v3.png -------------------------------------------------------------------------------- /images/ra_yaml_v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/ra_yaml_v3.png -------------------------------------------------------------------------------- /images/rp_confluence_v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/rp_confluence_v3.png -------------------------------------------------------------------------------- /images/rp_markdown_v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/rp_markdown_v3.png -------------------------------------------------------------------------------- /images/rp_yaml_v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/rp_yaml_v3.png -------------------------------------------------------------------------------- /images/sigma_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/sigma_rule.png -------------------------------------------------------------------------------- /images/tg_markdown_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/tg_markdown_v1.png -------------------------------------------------------------------------------- /images/thehive_case_task_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/thehive_case_task_v1.png -------------------------------------------------------------------------------- /images/thehive_case_template_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/thehive_case_template_v1.png -------------------------------------------------------------------------------- /images/trigger.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/trigger.png -------------------------------------------------------------------------------- /images/trigger_confluence_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/trigger_confluence_v1.png -------------------------------------------------------------------------------- /images/visualisation_yaml_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/images/visualisation_yaml_v1.png -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/main.py -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/mkdocs.yml -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/requirements.txt -------------------------------------------------------------------------------- /run_tests.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/run_tests.sh -------------------------------------------------------------------------------- /scripts/amitt_mapping.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/amitt_mapping.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/DEVELOPMENT_README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/DEVELOPMENT_README.md -------------------------------------------------------------------------------- /scripts/atc_visualizations/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/README.md -------------------------------------------------------------------------------- /scripts/atc_visualizations/TODO.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/TODO.md -------------------------------------------------------------------------------- /scripts/atc_visualizations/aggs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/aggs.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/base.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/base.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/dashboard.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/dashboard.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/kibana_api.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/kibana_api.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/metrics.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/metrics.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/params.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/params.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/visualisation.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/visualisation.py -------------------------------------------------------------------------------- /scripts/atc_visualizations/yaml_handler.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atc_visualizations/yaml_handler.py -------------------------------------------------------------------------------- /scripts/atcutils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/atcutils.py -------------------------------------------------------------------------------- /scripts/attack_mapping.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/attack_mapping.py -------------------------------------------------------------------------------- /scripts/attack_navigator_export.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/attack_navigator_export.py -------------------------------------------------------------------------------- /scripts/attack_navigator_per_customer_export.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/attack_navigator_per_customer_export.py -------------------------------------------------------------------------------- /scripts/config.default.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/config.default.yml -------------------------------------------------------------------------------- /scripts/customer.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/customer.py -------------------------------------------------------------------------------- /scripts/detectionrule.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/detectionrule.py -------------------------------------------------------------------------------- /scripts/es_index_export.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/es_index_export.py -------------------------------------------------------------------------------- /scripts/hardeningpolicy.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/hardeningpolicy.py -------------------------------------------------------------------------------- /scripts/init_confluence.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/init_confluence.py -------------------------------------------------------------------------------- /scripts/init_markdown.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/init_markdown.py -------------------------------------------------------------------------------- /scripts/mitigationpolicy.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/mitigationpolicy.py -------------------------------------------------------------------------------- /scripts/mitigationsystem.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/mitigationsystem.py -------------------------------------------------------------------------------- /scripts/populateconfluence.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/populateconfluence.py -------------------------------------------------------------------------------- /scripts/populatemarkdown.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/populatemarkdown.py -------------------------------------------------------------------------------- /scripts/sigma_mapping.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/sigma_mapping.py -------------------------------------------------------------------------------- /scripts/templates/confluence_alert_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_alert_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/confluence_customer_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_customer_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/confluence_hardeningpolicies_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_hardeningpolicies_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/confluence_mitigationpolicies_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_mitigationpolicies_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/confluence_mitigationsystems_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_mitigationsystems_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/confluence_trigger_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_trigger_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/confluence_usecase_template.html.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/confluence_usecase_template.html.j2 -------------------------------------------------------------------------------- /scripts/templates/markdown_alert_template.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/markdown_alert_template.md.j2 -------------------------------------------------------------------------------- /scripts/templates/markdown_customer_template.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/markdown_customer_template.md.j2 -------------------------------------------------------------------------------- /scripts/templates/markdown_hardeningpolicies_template.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/markdown_hardeningpolicies_template.md.j2 -------------------------------------------------------------------------------- /scripts/templates/markdown_mitigationpolicies_template.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/markdown_mitigationpolicies_template.md.j2 -------------------------------------------------------------------------------- /scripts/templates/markdown_mitigationsystems_template.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/markdown_mitigationsystems_template.md.j2 -------------------------------------------------------------------------------- /scripts/templates/markdown_usecase_template.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/templates/markdown_usecase_template.md.j2 -------------------------------------------------------------------------------- /scripts/triggers.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/triggers.py -------------------------------------------------------------------------------- /scripts/update_amitt_mapping.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/update_amitt_mapping.py -------------------------------------------------------------------------------- /scripts/update_attack_mapping.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/update_attack_mapping.py -------------------------------------------------------------------------------- /scripts/usecases.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/scripts/usecases.py -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/conftest.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/tests/conftest.py -------------------------------------------------------------------------------- /tests/test_syntax.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/tests/test_syntax.py -------------------------------------------------------------------------------- /use_cases/UC_0001_TESTUSECASE.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/use_cases/UC_0001_TESTUSECASE.yml -------------------------------------------------------------------------------- /use_cases/UC_0002_INITIALACCESS.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/use_cases/UC_0002_INITIALACCESS.yml -------------------------------------------------------------------------------- /visualizations/dashboards/examples/test_dashboard_document.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/dashboards/examples/test_dashboard_document.yml -------------------------------------------------------------------------------- /visualizations/dashboards/os_hunting_dashboard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/dashboards/os_hunting_dashboard.yml -------------------------------------------------------------------------------- /visualizations/visualizations/examples/metric.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/examples/metric.yml -------------------------------------------------------------------------------- /visualizations/visualizations/examples/pie.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/examples/pie.yml -------------------------------------------------------------------------------- /visualizations/visualizations/examples/saved_search.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/examples/saved_search.yml -------------------------------------------------------------------------------- /visualizations/visualizations/examples/vert_bar.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/examples/vert_bar.yml -------------------------------------------------------------------------------- /visualizations/visualizations/fileshares_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/fileshares_operations.yml -------------------------------------------------------------------------------- /visualizations/visualizations/local_file_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/local_file_operations.yml -------------------------------------------------------------------------------- /visualizations/visualizations/logon_activities.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/logon_activities.yml -------------------------------------------------------------------------------- /visualizations/visualizations/pipe_events.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/pipe_events.yml -------------------------------------------------------------------------------- /visualizations/visualizations/powershell_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/powershell_activity.yml -------------------------------------------------------------------------------- /visualizations/visualizations/process_activities.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/process_activities.yml -------------------------------------------------------------------------------- /visualizations/visualizations/process_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/process_execution.yml -------------------------------------------------------------------------------- /visualizations/visualizations/rdp_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/rdp_activity.yml -------------------------------------------------------------------------------- /visualizations/visualizations/registry_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/registry_operations.yml -------------------------------------------------------------------------------- /visualizations/visualizations/services_and_drivers_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/services_and_drivers_operations.yml -------------------------------------------------------------------------------- /visualizations/visualizations/tasks_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/tasks_operations.yml -------------------------------------------------------------------------------- /visualizations/visualizations/wmi_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atc-project/atomic-threat-coverage/HEAD/visualizations/visualizations/wmi_activity.yml --------------------------------------------------------------------------------